Le 22/12/2020 à 17:45, Sumit Bose a écrit :
> On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
>> Le 22/12/2020 à 07:52, Sumit Bose a écrit :
>>> On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
>>>> Hello,
>>>>
>>>>
>>>> I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication
>>>> indicator "*strong*".
>>>>
>>>> $ cat kdc.conf
>>>>
>>>> ...
>>>>
>>>> [otp]
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = {
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server =
192.168.0.68:1812
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret =
/etc/.radius.secret
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ strip_realm
= true
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ indicator =
strong
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout =
<integer> (default: 5 [seconds])
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries =
<integer> (default: 3)
>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
>>>>
>>>>
>>>> The kerberos Realm "DNS.PODMAN" has only two "otp"
principals, *alice* and
>>>> *bob.*
>>>>
>>>>
>>>> $ kadmin.local getstrs alice
>>>> otp: [{"type":"softid"}]
>>>>
>>>> $ kadmin.local getstrs bob
>>>> otp: [{"type":"softid"}
>>>>
>>>>
>>>> Alice's password was purged with the command
>>>>
>>>>
>>>> kadmin.local purgekeys -all alice
>>>>
>>>>
>>>> On the sssd host (RHEL 7.9), sssd service uses the following
configuration
>>>> file
>>>>
>>>>
>>>> [sssd]
>>>> domains = DNS.PODMAN
>>>> services = nss,pam,ssh
>>>> config_file_version = 2
>>>> debug_level = 9
>>>>
>>>> [nss]
>>>> filter_users = root
>>>> filter_groups = root
>>>> reconnection_retries = 3
>>>> entry_cache_nowait_percentage = 75
>>>> debug_level = 9
>>>>
>>>> [pam]
>>>> reconnection_retries = 3
>>>> offline_credentials_expiration = 2
>>>> offline_failed_login_attempts = 3
>>>> offline_failed_login_delay = 5
>>>>
>>>> [domain/DNS.PODMAN]
>>>> debug_level = 0x04000
>>>> id_provider = ldap
>>>> ldap_uri =ldaps://kerb.dns.podman:636/
>>>> ldap_search_base = dc=dns,dc=podman
>>>> ldap_schema = rfc2307bis
>>>> ldap_tls_reqcert = demand
>>>> ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
>>>>
>>>> ldap_sasl_mech = gssapi
>>>> ldap_sasl_authid = sssd/sssd.dns.podman
>>>> ldap_krb5_keytab = /etc/sssd/sssd.keytab
>>>> ldap_krb5_init_creds = true
>>>> ldap_krb5_ticket_lifetime = 86400
>>>>
>>>> ldap_user_search_base = ou=people,dc=dns,dc=podman
>>>> ldap_user_object_class = posixAccount
>>>>
>>>> ldap_group_search_base = ou=groups,dc=dns,dc=podman
>>>> ldap_group_object_class = groupOfNames
>>>> ldap_group_gid_number = gidNumber
>>>> ldap_group_member = member
>>>>
>>>> auth_provider = krb5
>>>> krb5_server = kerb.dns.podman
>>>> krb5_realm = DNS.PODMAN
>>>> cache_credentials = true
>>>> krb5_keytab = /etc/krb5.keytab
>>>> krb5_use_fast = try
>>>> krb5_fast_principal = host/sssd.dns.podman
>>>>
>>>> min_id = 10000
>>>> max_id = 20000
>>>> #enumerate = False
>>>> enumerate = True
>>>>
>>>> [ssh]
>>>> debug_level = 9
>>>>
>>>> # klist -k /etc/krb5.keytab
>>>> Keytab name:FILE:/etc/krb5.keytab
>>>> KVNO Principal
>>>> ----
>>>>
--------------------------------------------------------------------------
>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>>
>>>> The service principal host/sssd.dns.podman is configured to require the
>>>> "strong" authentication indicator value.
>>>>
>>>> $ kadmin getstrs host/sssd.dns.podman
>>>> require_auth: strong
>>>>
>>>>
>>>> When ssh to the sssd host with *alice* account, authentication using otp
is
>>>> working fine
>>>>
>>>> [root@client /]# ssh alice@sssd
>>>> alice@sssd's password: <otp value>
>>>> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman
>>>> [alice@sssd ~]
>>>>
>>>>
>>>> However, if I ssh to the sssd host with *bob* account, I can login with
>>>> bob's password even if the service principal host/sssd.dns.podman is
>>>> configured to require the "strong" authentication indicator
value
>>>>
>>>> [root@client /]# ssh bob@sssd
>>>> bob@sssd's password: <bob's password>
>>>> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman
>>>> [bob@sssd ~]$
>>>>
>>>>
>>>> 1. Why password authentication for bob principal succeeded while
>>>> authentication indicator is "strong" ?
>>>> 2. Is it possible to configure sssd to enforce "otp"
authentication ?
>>> Hi,
>>>
>>> I think it should work as you expect it if you add
>>>
>>> krb5_validate = True
>>>
>>> to the [domain/...] section of sssd.conf.
>>>
>>> This option is needed because with the default Kerberos authentication
>>> only user related operations are preformed. If FAST is left aside it is
>>> only asking the KDC for a TGT for the user, the KDC at this point cannot
>>> know for which service you would like to use it.
>>>
>>> With 'krb5_validate = True' after getting the TGT for the user SSSD
will
>>> try to validate it by requesting a service ticket for the principal from
>>> the keytab. At this point the KDC can check the requirements configured
>>> for the host and reject a TGT which does not has the needed
>>> authentication indicators. If the KDC rejects the request the ticket
>>> validation and hence the authentication will fail.
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>>
>>>> _______________________________________________
>>>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
>>> _______________________________________________
>>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
>> Hello Sumit,
>>
>>
>> Thank you for you quick answer and the hint. Now with "krb5_validate =
>> true", TGT obtained without the needed authentication indicator is rejected
>>
>> [root@client shared]# ssh bob@sssd
>> bob@sssd's password:
>> Permission denied, please try again.
>>
>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes
>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>> NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional
>> pre-authentication required
>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes
>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE:
>> authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18),
>> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
>> bob(a)DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN
>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes
>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
>> {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman(a)DNS.PODMAN,
>> Required auth indicators not present in ticket: strong
>>
>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes
>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
>> {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman(a)DNS.PODMAN,
>> Required auth indicators not present in ticket: strong
>>
>> However, I'm still not able to login using bob's *otp*
>>
>> Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes
>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>> NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional
>> pre-authentication required
>> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth
>> (encrypted_challenge) verify failure: Incorrect password in encrypted
>> challenge
>> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes
>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>> PREAUTH_FAILED:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN, Incorrect
>> password in encrypted challenge
>>
>>
>> pre-authentication using password is prioritized.
>>
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000):
>> Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not
>> valid.
>> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000):
>> Recreating ccache
>> (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab]
>> (0x4000): Trying to find principalhost/sssd.dns.podman(a)DNS.PODMAN in
>> keytab.
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892571: Getting initial credentials forbob(a)DNS.PODMAN
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892572: FAST armor ccache:
>> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892573: Retrievinghost/sssd.dns.podman(a)DNS.PODMAN ->
>> krb5_ccache_conf_data/fast_avail/krbtgt\/DNS.PODMAN\@DNS.PODMAN(a)X-CACHECONF:
>> from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result:
>> -1765328243/Matching credential not found
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892575: Getting credentialshost/sssd.dns.podman(a)DNS.PODMAN
>> ->krbtgt/DNS.PODMAN(a)DNS.PODMAN using ccache
>> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892576: Retrievinghost/sssd.dns.podman(a)DNS.PODMAN ->
>> krbtgt/DNS.PODMAN(a)DNS.PODMAN from
>> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892579: Creating authenticator for
>> host/sssd.dns.podman(a)DNS.PODMAN ->krbtgt/DNS.PODMAN(a)DNS.PODMAN, seqnum 0,
>> subkey aes256-cts/F61D, session key aes256-cts/3774
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892581: FAST armor key: aes256-cts/A391
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892583: Sending unauthenticated request
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892584: Encoding request body and padata into FAST request
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892587: Received answer (545 bytes) from dgram
>> 10.89.0.16:88
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892588: Response was from master KDC
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892589: Received error from KDC: -1765328359/Additional
>> pre-authentication required
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892590: Decoding FAST response
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892593: Preauthenticating using KDC method data
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16),
>> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
>> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt
>> "DNS.PODMANbob", params ""
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892596: Received cookie: MIT
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892597: PKINIT client has no configured identity; giving up
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
>> question [otp].
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
>> question [password].
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892598: Preauth module pkinit (147) (info) returned:
>> 0/Success
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892599: PKINIT client has no configured identity; giving up
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892600: Preauth module pkinit (16) (real) returned:
>> 22/Invalid argument
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
>> sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
>> Prompt [0][Enter OTP Token Value].
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892601: Preauth module otp (141) (real) returned:
>> -1765328254/Cannot read password
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real)
>> returned: 0/Success
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE
>> (133), PA-ENCRYPTED-CHALLENGE (138)
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892605: Encoding request body and padata into FAST request
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892608: Received answer (545 bytes) from dgram
>> 10.89.0.16:88
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892609: Response was from master KDC
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892610: Received error from KDC:
>> -1765328360/Preauthentication failed
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892611: Decoding FAST response
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892614: Preauthenticating using KDC method data
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16),
>> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
>> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt
>> "DNS.PODMANbob", params ""
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892617: Received cookie: MIT
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
>> question [otp].
>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>> [277] 1608640257.892618: Preauth module pkinit (147) (info) returned:
>> 0/Success
>>
>> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response
>> sent.
>>
>>
>> Do you know if there is a way to tell sssd to enforce otp authentication
>> when a fast channel is available ?
>>
>>
>> I would like also to customize the prompt login for otp authentication.
> Hi,
>
> you are right, password base authentication is preferred. To change this
> SSSD must figure out what authentication methods are available before
> asking the user to enter the credentials.
>
> To achieve this you can just try to call
>
> touch /var/lib/sss/pubconf/pam_preauth_available
>
> and try to authenticate again.
>
> More elegant and since you said you want to customize the prompting
> anyways is to add something like
>
> [prompting/2fa]
> first_prompt = Please enter the first factor:
> second_prompt = Please enter the second factor:
>
> to sssd.conf.
>
> Please note, in the sssd.conf man page there is the option
> 'single_prompt' documented for '[prompting/2fa]', but since it looks
> like you want to allow password and otp you have to take the two prompts
> version because otherwise SSSD would not know if you want to use only
> the password or if both factor should be used.
>
> HTH
>
> bye,
> Sumit
>
>> Regards
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
> _______________________________________________
> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
Hi,
It seems that "*prompting configuration section*" is not supported
under rhel 7.9. So, I set up an sssd host under rhel 8.3 and I did
touch /var/lib/sss/pubconf/pam_preauth_available
and added section
[prompting/2fa]
single_prompt = true
first_prompt = Please enter PIN + OTP value :
in /etc/sssd/sssd.conf
(I just want to allow otp authentication)
Unfortunately, these changes had no effect, I'm still getting the
usual password prompt
[root@client ~]# ssh bob@sssd8
bob@sssd8's password:
and password authentication is still prioritized.
[root@sssd8 sssd]# sssctl user-checks -a auth bob
user: bob
action: auth
service: system-auth
SSSD nss user lookup result:
- user name: bob
- user id: 10004
- group id: 10004
- gecos: bob
- home directory: /home/bob
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: bob
- uidNumber: 10004
- gidNumber: 10004
- gecos: bob
- homeDirectory: /home/bob
- loginShell: /bin/bash
testing pam_authenticate
First Factor:
Second Factor (optional):
pam_authenticate for user [bob]: Authentication failure
PAM Environment:
- no env -
Dec 22 19:36:25 kerb.dns.podman krb5kdc[547](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob(a)EDF.FR for
krbtgt/EDF.FR(a)EDF.FR, Additional pre-authentication required
Dec 22 19:36:25 kerb.dns.podman krb5kdc[548](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob(a)EDF.FR for
krbtgt/EDF.FR(a)EDF.FR, Additional pre-authentication required
Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): AS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: ISSUE: authtime 1608665785,
etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
bob(a)EDF.FR for krbtgt/EDF.FR(a)EDF.FR
Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): TGS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED:
authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob(a)EDF.FR for
host/sssd8.dns.podman(a)EDF.FR, Required auth indicators not present in
ticket: strong
Dec 22 19:36:25 kerb.dns.podman krb5kdc[550](info): TGS_REQ (7 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED:
authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob(a)EDF.FR for
host/sssd8.dns.podman(a)EDF.FR, Required auth indicators not present in
ticket: strong
Do you know how to troubleshoot the prompting issue ?
I'm wondering if the possibility to choose the authentication method and
customize the prompting is only available for sssd ipa auth provider ?