I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was. In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)".
What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this option, kinit already opportunistically uses SPAKE:
$ kinit [..] [1503880] 1639651033.064871: Received error from KDC: -1765328359/Additional pre-authentication required [1503880] 1639651033.064874: Preauthenticating using KDC method data [1503880] 1639651033.064875: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1503880] 1639651033.064876: Selected etype info: etype aes256-cts, salt "xxx", params "" [1503880] 1639651033.064877: Received cookie: xxx [1503880] 1639651033.064878: PKINIT client has no configured identity; giving up [1503880] 1639651033.064879: Preauth module pkinit (147) (info) returned: 0/Success [1503880] 1639651033.064880: PKINIT client received freshness token from KDC [1503880] 1639651033.064881: Preauth module pkinit (150) (info) returned: 0/Success [1503880] 1639651033.064882: PKINIT client has no configured identity; giving up [1503880] 1639651033.064883: Preauth module pkinit (16) (real) returned: 22/Invalid argument [1503880] 1639651033.064884: SPAKE challenge received with group 1, pubkey xxx Password for user@IPA.EXAMPLE.QQ': ^C [1503880] 1639651047.197022: Preauth module spake (151) (real) returned: -1765328252/Password read interrupted kinit: Password read interrupted while getting initial credentials
So far so good.
The client can be forced to do so by setting 'disable_encrypted_timestamp = true' for the realm in krb5.conf. But krb5.conf(5) remarks, "This flag does not prevent the KDC from offering encrypted timestamp."
It seems like the 'ipa user-mod --auth-user-type=hardened' might be a way to enforce the use of SPAKE/FAST on the server side, but once that is set on a user, the client doesn't seem to use SPAKE, it just gives up:
$ kinit [...] [1504024] 1639651111.830018: Received error from KDC: -1765328359/Additional pre-authentication required [1504024] 1639651111.830021: Preauthenticating using KDC method data [1504024] 1639651111.830022: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1504024] 1639651111.830023: Received cookie: xxx [1504024] 1639651111.830024: PKINIT client has no configured identity; giving up [1504024] 1639651111.830025: Preauth module pkinit (147) (info) returned: 0/Success [1504024] 1639651111.830026: PKINIT client received freshness token from KDC [1504024] 1639651111.830027: Preauth module pkinit (150) (info) returned: 0/Success [1504024] 1639651111.830028: PKINIT client has no configured identity; giving up [1504024] 1639651111.830029: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials
The 'hardened' option also seems to break FAST:
$ kinit -c /tmp/blah -n && kinit -T /tmp/blah [...] [1504775] 1639652353.929814: Using FAST due to armor ccache negotiation result [1504775] 1639652353.929815: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ@IPA.EXAMPLE.QQ using ccache FILE:/tmp/blah [1504775] 1639652353.929816: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ@IPA.EXAMPLE.QQ from FILE:/tmp/blah with result: 0/Success [1504775] 1639652353.929817: Armor ccache sesion key: aes256-cts/0286 [1504775] 1639652353.929819: Creating authenticator for WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ@IPA.EXAMPLE.QQ , seqnum 0, subkey aes256-cts/12F1, session key aes256-cts/0286 [1504775] 1639652353.929821: FAST armor key: aes256-cts/0BB2 [1504775] 1639652353.929823: Sending unauthenticated request [1504775] 1639652353.929824: Encoding request body and padata into FAST request [...] [1504775] 1639652353.929829: Received error from KDC: -1765328359/Additional pre-authentication required [1504775] 1639652353.929830: Decoding FAST response [1504775] 1639652353.929833: Preauthenticating using KDC method data [1504775] 1639652353.929834: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137) [1504775] 1639652353.929835: Received cookie: MIT [1504775] 1639652353.929836: PKINIT client has no configured identity; giving up [1504775] 1639652353.929837: Preauth module pkinit (147) (info) returned: 0/Success [1504775] 1639652353.929838: PKINIT client received freshness token from KDC [1504775] 1639652353.929839: Preauth module pkinit (150) (info) returned: 0/Success [1504775] 1639652353.929840: PKINIT client has no configured identity; giving up [1504775] 1639652353.929841: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Documentation for the meaning of the hardened setting is a bit thin... can anyone fill me in?
On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was. In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)".
What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this option, kinit already opportunistically uses SPAKE:
Have you read https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html and https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.... ?
They need a bit of update to cover existence of pam_sss_gss.so module but they give most of details we have so far.
$ kinit [..] [1503880] 1639651033.064871: Received error from KDC: -1765328359/Additional pre-authentication required [1503880] 1639651033.064874: Preauthenticating using KDC method data [1503880] 1639651033.064875: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1503880] 1639651033.064876: Selected etype info: etype aes256-cts, salt "xxx", params "" [1503880] 1639651033.064877: Received cookie: xxx [1503880] 1639651033.064878: PKINIT client has no configured identity; giving up [1503880] 1639651033.064879: Preauth module pkinit (147) (info) returned: 0/Success [1503880] 1639651033.064880: PKINIT client received freshness token from KDC [1503880] 1639651033.064881: Preauth module pkinit (150) (info) returned: 0/Success [1503880] 1639651033.064882: PKINIT client has no configured identity; giving up [1503880] 1639651033.064883: Preauth module pkinit (16) (real) returned: 22/Invalid argument [1503880] 1639651033.064884: SPAKE challenge received with group 1, pubkey xxx Password for user@IPA.EXAMPLE.QQ': ^C [1503880] 1639651047.197022: Preauth module spake (151) (real) returned: -1765328252/Password read interrupted kinit: Password read interrupted while getting initial credentials
So far so good.
The client can be forced to do so by setting 'disable_encrypted_timestamp = true' for the realm in krb5.conf. But krb5.conf(5) remarks, "This flag does not prevent the KDC from offering encrypted timestamp."
It seems like the 'ipa user-mod --auth-user-type=hardened' might be a way to enforce the use of SPAKE/FAST on the server side, but once that is set on a user, the client doesn't seem to use SPAKE, it just gives up:
$ kinit [...] [1504024] 1639651111.830018: Received error from KDC: -1765328359/Additional pre-authentication required [1504024] 1639651111.830021: Preauthenticating using KDC method data [1504024] 1639651111.830022: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1504024] 1639651111.830023: Received cookie: xxx [1504024] 1639651111.830024: PKINIT client has no configured identity; giving up [1504024] 1639651111.830025: Preauth module pkinit (147) (info) returned: 0/Success [1504024] 1639651111.830026: PKINIT client received freshness token from KDC [1504024] 1639651111.830027: Preauth module pkinit (150) (info) returned: 0/Success [1504024] 1639651111.830028: PKINIT client has no configured identity; giving up [1504024] 1639651111.830029: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials
The 'hardened' option also seems to break FAST:
$ kinit -c /tmp/blah -n && kinit -T /tmp/blah [...] [1504775] 1639652353.929814: Using FAST due to armor ccache negotiation result [1504775] 1639652353.929815: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ@IPA.EXAMPLE.QQ using ccache FILE:/tmp/blah [1504775] 1639652353.929816: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ@IPA.EXAMPLE.QQ from FILE:/tmp/blah with result: 0/Success [1504775] 1639652353.929817: Armor ccache sesion key: aes256-cts/0286 [1504775] 1639652353.929819: Creating authenticator for WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ@IPA.EXAMPLE.QQ , seqnum 0, subkey aes256-cts/12F1, session key aes256-cts/0286 [1504775] 1639652353.929821: FAST armor key: aes256-cts/0BB2 [1504775] 1639652353.929823: Sending unauthenticated request [1504775] 1639652353.929824: Encoding request body and padata into FAST request [...] [1504775] 1639652353.929829: Received error from KDC: -1765328359/Additional pre-authentication required [1504775] 1639652353.929830: Decoding FAST response [1504775] 1639652353.929833: Preauthenticating using KDC method data [1504775] 1639652353.929834: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137) [1504775] 1639652353.929835: Received cookie: MIT [1504775] 1639652353.929836: PKINIT client has no configured identity; giving up [1504775] 1639652353.929837: Preauth module pkinit (147) (info) returned: 0/Success [1504775] 1639652353.929838: PKINIT client received freshness token from KDC [1504775] 1639652353.929839: Preauth module pkinit (150) (info) returned: 0/Success [1504775] 1639652353.929840: PKINIT client has no configured identity; giving up [1504775] 1639652353.929841: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Documentation for the meaning of the hardened setting is a bit thin... can anyone fill me in?
It should mostly be used as an indicator that something better than timestamp encryption was used. The idea is not to enforce it on a user principal but rather to allow applications like pam_sss_gss.so to detect that a hardened or pkinit preauthentication mechanism were in use in deciding whether this ticket is 'good enough'.
We need to improve around this area, of course.
On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was. In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)".
What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this option, kinit already opportunistically uses SPAKE:
Have you read https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html and https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.... ?
They need a bit of update to cover existence of pam_sss_gss.so module but they give most of details we have so far.
As I understand it this allows tickets with the hardened indicator to have a longer lifetime, and for services to be configured to require the presence of an indicator in the service ticket presented by the user.
And as you say the pam_sss_gss module can also be configured to require the presence of an indicator before it'll accept the user's ticket.
But I don't see the link with ipa user-mod --auth-user-type=hardened... in my case it just seems to make it impossible to log in as the user at all...
On to, 16 joulu 2021, Sam Morris wrote:
On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was. In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)".
What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this option, kinit already opportunistically uses SPAKE:
Have you read https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html and https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.... ?
They need a bit of update to cover existence of pam_sss_gss.so module but they give most of details we have so far.
As I understand it this allows tickets with the hardened indicator to have a longer lifetime, and for services to be configured to require the presence of an indicator in the service ticket presented by the user.
And as you say the pam_sss_gss module can also be configured to require the presence of an indicator before it'll accept the user's ticket.
But I don't see the link with ipa user-mod --auth-user-type=hardened... in my case it just seems to make it impossible to log in as the user at all...
For hardened, I think I found an issue. I need to test that but have no time right now.. Can you file an upstream ticket, please?
On Thu, 2021-12-16 at 16:28 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris wrote:
But I don't see the link with ipa user-mod --auth-user-type=hardened... in my case it just seems to make it impossible to log in as the user at all...
For hardened, I think I found an issue. I need to test that but have no time right now.. Can you file an upstream ticket, please?
Done: https://bugzilla.redhat.com/show_bug.cgi?id=2033342
Uuh, I just realised you probably meant a bug in pagure, right? Want me to do that as well & link it up?
On to, 16 joulu 2021, Sam Morris wrote:
On Thu, 2021-12-16 at 16:28 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris wrote:
But I don't see the link with ipa user-mod --auth-user-type=hardened... in my case it just seems to make it impossible to log in as the user at all...
For hardened, I think I found an issue. I need to test that but have no time right now.. Can you file an upstream ticket, please?
Done: https://bugzilla.redhat.com/show_bug.cgi?id=2033342
Uuh, I just realised you probably meant a bug in pagure, right? Want me to do that as well & link it up?
Thanks, the bug is good too.
On Thu, 2021-12-16 at 17:16 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris wrote:
On Thu, 2021-12-16 at 16:28 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris wrote:
But I don't see the link with ipa user-mod --auth-user-type=hardened... in my case it just seems to make it impossible to log in as the user at all...
For hardened, I think I found an issue. I need to test that but have no time right now.. Can you file an upstream ticket, please?
Done: https://bugzilla.redhat.com/show_bug.cgi?id=2033342
Uuh, I just realised you probably meant a bug in pagure, right? Want me to do that as well & link it up?
Thanks, the bug is good too.
Here you go: https://pagure.io/freeipa/issue/9065
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Sam Morris