On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
> Le 22/12/2020 à 07:52, Sumit Bose a écrit :
>> On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
>>> Hello,
>>>
>>>
>>> I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication
>>> indicator "*strong*".
>>>
>>> $ cat kdc.conf
>>>
>>> ...
>>>
>>> [otp]
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = {
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server =
192.168.0.68:1812
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret =
/etc/.radius.secret
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ strip_realm =
true
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ indicator =
strong
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout =
<integer> (default: 5 [seconds])
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries =
<integer> (default: 3)
>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
>>>
>>>
>>> The kerberos Realm "DNS.PODMAN" has only two "otp"
principals, *alice* and
>>> *bob.*
>>>
>>>
>>> $ kadmin.local getstrs alice
>>> otp: [{"type":"softid"}]
>>>
>>> $ kadmin.local getstrs bob
>>> otp: [{"type":"softid"}
>>>
>>>
>>> Alice's password was purged with the command
>>>
>>>
>>> kadmin.local purgekeys -all alice
>>>
>>>
>>> On the sssd host (RHEL 7.9), sssd service uses the following configuration
>>> file
>>>
>>>
>>> [sssd]
>>> domains = DNS.PODMAN
>>> services = nss,pam,ssh
>>> config_file_version = 2
>>> debug_level = 9
>>>
>>> [nss]
>>> filter_users = root
>>> filter_groups = root
>>> reconnection_retries = 3
>>> entry_cache_nowait_percentage = 75
>>> debug_level = 9
>>>
>>> [pam]
>>> reconnection_retries = 3
>>> offline_credentials_expiration = 2
>>> offline_failed_login_attempts = 3
>>> offline_failed_login_delay = 5
>>>
>>> [domain/DNS.PODMAN]
>>> debug_level = 0x04000
>>> id_provider = ldap
>>> ldap_uri = ldaps://kerb.dns.podman:636/
>>> ldap_search_base = dc=dns,dc=podman
>>> ldap_schema = rfc2307bis
>>> ldap_tls_reqcert = demand
>>> ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
>>>
>>> ldap_sasl_mech = gssapi
>>> ldap_sasl_authid = sssd/sssd.dns.podman
>>> ldap_krb5_keytab = /etc/sssd/sssd.keytab
>>> ldap_krb5_init_creds = true
>>> ldap_krb5_ticket_lifetime = 86400
>>>
>>> ldap_user_search_base = ou=people,dc=dns,dc=podman
>>> ldap_user_object_class = posixAccount
>>>
>>> ldap_group_search_base = ou=groups,dc=dns,dc=podman
>>> ldap_group_object_class = groupOfNames
>>> ldap_group_gid_number = gidNumber
>>> ldap_group_member = member
>>>
>>> auth_provider = krb5
>>> krb5_server = kerb.dns.podman
>>> krb5_realm = DNS.PODMAN
>>> cache_credentials = true
>>> krb5_keytab = /etc/krb5.keytab
>>> krb5_use_fast = try
>>> krb5_fast_principal = host/sssd.dns.podman
>>>
>>> min_id = 10000
>>> max_id = 20000
>>> #enumerate = False
>>> enumerate = True
>>>
>>> [ssh]
>>> debug_level = 9
>>>
>>> # klist -k /etc/krb5.keytab
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Principal
>>> ----
>>> --------------------------------------------------------------------------
>>> ÃÂ ÃÂ 2 host/sssd.dns.podman(a)DNS.PODMAN
>>> ÃÂ ÃÂ 2 host/sssd.dns.podman(a)DNS.PODMAN
>>> ÃÂ ÃÂ 2 host/sssd.dns.podman(a)DNS.PODMAN
>>> ÃÂ ÃÂ 2 host/sssd.dns.podman(a)DNS.PODMAN
>>> ÃÂ ÃÂ 2 host/sssd.dns.podman(a)DNS.PODMAN
>>> ÃÂ ÃÂ 2 host/sssd.dns.podman(a)DNS.PODMAN
>>>
>>> The service principal host/sssd.dns.podman is configured to require the
>>> "strong" authentication indicator value.
>>>
>>> $ kadmin getstrs host/sssd.dns.podman
>>> require_auth: strong
>>>
>>>
>>> When ssh to the sssd host with *alice* account, authentication using otp is
>>> working fine
>>>
>>> [root@client /]# ssh alice@sssd
>>> alice@sssd's password: <otp value>
>>> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman
>>> [alice@sssd ~]
>>>
>>>
>>> However, if I ssh to the sssd host with *bob* account, I can login with
>>> bob's password even if the service principal host/sssd.dns.podman is
>>> configured to require the "strong" authentication indicator value
>>>
>>> [root@client /]# ssh bob@sssd
>>> bob@sssd's password: <bob's password>
>>> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman
>>> [bob@sssd ~]$
>>>
>>>
>>> 1. Why password authentication for bob principal succeeded while
>>> authentication indicator is "strong" ?
>>> 2. Is it possible to configure sssd to enforce "otp" authentication
?
>> Hi,
>>
>> I think it should work as you expect it if you add
>>
>> krb5_validate = True
>>
>> to the [domain/...] section of sssd.conf.
>>
>> This option is needed because with the default Kerberos authentication
>> only user related operations are preformed. If FAST is left aside it is
>> only asking the KDC for a TGT for the user, the KDC at this point cannot
>> know for which service you would like to use it.
>>
>> With 'krb5_validate = True' after getting the TGT for the user SSSD will
>> try to validate it by requesting a service ticket for the principal from
>> the keytab. At this point the KDC can check the requirements configured
>> for the host and reject a TGT which does not has the needed
>> authentication indicators. If the KDC rejects the request the ticket
>> validation and hence the authentication will fail.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Hello Sumit,
>
>
> Thank you for you quick answer and the hint. Now with "krb5_validate =
> true", TGT obtained without the needed authentication indicator is rejected
>
> [root@client shared]# ssh bob@sssd
> bob@sssd's password:
> Permission denied, please try again.
>
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> NEEDED_PREAUTH: bob(a)DNS.PODMAN for krbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional
> pre-authentication required
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE:
> authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> bob(a)DNS.PODMAN for krbtgt/DNS.PODMAN(a)DNS.PODMAN
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
> {rep=UNSUPPORTED:(0)} bob(a)DNS.PODMAN for host/sssd.dns.podman(a)DNS.PODMAN,
> Required auth indicators not present in ticket: strong
>
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
> {rep=UNSUPPORTED:(0)} bob(a)DNS.PODMAN for host/sssd.dns.podman(a)DNS.PODMAN,
> Required auth indicators not present in ticket: strong
>
> However, I'm still not able to login using bob's *otp*
>
> Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> NEEDED_PREAUTH: bob(a)DNS.PODMAN for krbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional
> pre-authentication required
> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth
> (encrypted_challenge) verify failure: Incorrect password in encrypted
> challenge
> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> PREAUTH_FAILED: bob(a)DNS.PODMAN for krbtgt/DNS.PODMAN(a)DNS.PODMAN, Incorrect
> password in encrypted challenge
>
>
> pre-authentication using password is prioritized.
>
>
> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000):
> Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not
> valid.
> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000):
> Recreating ccache
> (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab]
> (0x4000): Trying to find principal host/sssd.dns.podman(a)DNS.PODMAN in
> keytab.
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892571: Getting initial credentials for bob(a)DNS.PODMAN
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892572: FAST armor ccache:
> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892573: Retrieving host/sssd.dns.podman(a)DNS.PODMAN ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/DNS.PODMAN\@DNS.PODMAN(a)X-CACHECONF:
> from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result:
> -1765328243/Matching credential not found
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892575: Getting credentials host/sssd.dns.podman(a)DNS.PODMAN
> -> krbtgt/DNS.PODMAN(a)DNS.PODMAN using ccache
> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892576: Retrieving host/sssd.dns.podman(a)DNS.PODMAN ->
> krbtgt/DNS.PODMAN(a)DNS.PODMAN from
> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892579: Creating authenticator for
> host/sssd.dns.podman(a)DNS.PODMAN -> krbtgt/DNS.PODMAN(a)DNS.PODMAN, seqnum 0,
> subkey aes256-cts/F61D, session key aes256-cts/3774
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892581: FAST armor key: aes256-cts/A391
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892583: Sending unauthenticated request
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892584: Encoding request body and padata into FAST request
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892587: Received answer (545 bytes) from dgram
> 10.89.0.16:88
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892588: Response was from master KDC
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892589: Received error from KDC: -1765328359/Additional
> pre-authentication required
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892590: Decoding FAST response
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892593: Preauthenticating using KDC method data
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16),
> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt
> "DNS.PODMANbob", params ""
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892596: Received cookie: MIT
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892597: PKINIT client has no configured identity; giving up
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
> question [otp].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
> question [password].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892598: Preauth module pkinit (147) (info) returned:
> 0/Success
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892599: PKINIT client has no configured identity; giving up
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892600: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
> sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
> Prompt [0][Enter OTP Token Value].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892601: Preauth module otp (141) (real) returned:
> -1765328254/Cannot read password
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real)
> returned: 0/Success
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE
> (133), PA-ENCRYPTED-CHALLENGE (138)
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892605: Encoding request body and padata into FAST request
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892608: Received answer (545 bytes) from dgram
> 10.89.0.16:88
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892609: Response was from master KDC
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892610: Received error from KDC:
> -1765328360/Preauthentication failed
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892611: Decoding FAST response
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892614: Preauthenticating using KDC method data
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16),
> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt
> "DNS.PODMANbob", params ""
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892617: Received cookie: MIT
>
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
> question [otp].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892618: Preauth module pkinit (147) (info) returned:
> 0/Success
>
> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response
> sent.
>
>
> Do you know if there is a way to tell sssd to enforce otp authentication
> when a fast channel is available ?
>
>
> I would like also to customize the prompt login for otp authentication.
Hi,
you are right, password base authentication is preferred. To change this
SSSD must figure out what authentication methods are available before
asking the user to enter the credentials.
To achieve this you can just try to call
touch /var/lib/sss/pubconf/pam_preauth_available
and try to authenticate again.
More elegant and since you said you want to customize the prompting
anyways is to add something like
[prompting/2fa]
first_prompt = Please enter the first factor:
second_prompt = Please enter the second factor:
to sssd.conf.
Please note, in the sssd.conf man page there is the option
'single_prompt' documented for '[prompting/2fa]', but since it looks
like you want to allow password and otp you have to take the two prompts
version because otherwise SSSD would not know if you want to use only
the password or if both factor should be used.
HTH
bye,
Sumit
>
> Regards
>
>
>
>
>
>
>
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Hi,
It seems that "*prompting configuration section*" is not supported under
rhel 7.9. So, I set up an sssd host under rhel 8.3 and I did
touch /var/lib/sss/pubconf/pam_preauth_available
and added section
[prompting/2fa]
single_prompt = true
first_prompt = Please enter PIN + OTP value :
in /etc/sssd/sssd.conf
(I just want to allow otp authentication)
Unfortunately, these changes had no effect, I'm still getting the usual
password prompt
[root@client ~]# ssh bob@sssd8
bob@sssd8's password:
and password authentication is still prioritized.
[root@sssd8 sssd]# sssctl user-checks -a auth bob
user: bob
action: auth
service: system-auth
SSSD nss user lookup result:
- user name: bob
- user id: 10004
- group id: 10004
- gecos: bob
- home directory: /home/bob
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: bob
- uidNumber: 10004
- gidNumber: 10004
- gecos: bob
- homeDirectory: /home/bob
- loginShell: /bin/bash
testing pam_authenticate
First Factor:
Second Factor (optional):
pam_authenticate for user [bob]: Authentication failure
PAM Environment:
- no env -
Dec 22 19:36:25 kerb.dns.podman krb5kdc[547](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob(a)EDF.FR for
krbtgt/EDF.FR(a)EDF.FR, Additional pre-authentication required
Dec 22 19:36:25 kerb.dns.podman krb5kdc[548](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob(a)EDF.FR for
krbtgt/EDF.FR(a)EDF.FR, Additional pre-authentication required
Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: ISSUE: authtime 1608665785,
etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
bob(a)EDF.FR for krbtgt/EDF.FR(a)EDF.FR
Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): TGS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED:
authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob(a)EDF.FR for
host/sssd8.dns.podman(a)EDF.FR, Required auth indicators not present in
ticket: strong
Dec 22 19:36:25 kerb.dns.podman krb5kdc[550](info): TGS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED:
authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob(a)EDF.FR for
host/sssd8.dns.podman(a)EDF.FR, Required auth indicators not present in
ticket: strong
Do you know how to troubleshoot the prompting issue ?