Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp] softid = { server = 192.168.0.68:1812 secret = /etc/.radius.secret strip_realm = true indicator = strong #timeout = <integer> (default: 5 [seconds]) #retries = <integer> (default: 3) }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/sssd.dns.podman@DNS.PODMAN 2 host/sssd.dns.podman@DNS.PODMAN 2 host/sssd.dns.podman@DNS.PODMAN 2 host/sssd.dns.podman@DNS.PODMAN 2 host/sssd.dns.podman@DNS.PODMAN 2 host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
1. Why password authentication for bob principal succeeded while authentication indicator is "strong" ? 2. Is it possible to configure sssd to enforce "otp" authentication ?
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp]        softid = {                server = 192.168.0.68:1812                secret = /etc/.radius.secret                strip_realm = true                indicator = strong                #timeout = <integer> (default: 5 [seconds])                #retries = <integer> (default: 3)        }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
  2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
- Why password authentication for bob principal succeeded while authentication indicator is "strong" ?
- Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication only user related operations are preformed. If FAST is left aside it is only asking the KDC for a TGT for the user, the KDC at this point cannot know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will try to validate it by requesting a service ticket for the principal from the keytab. At this point the KDC can check the requirements configured for the host and reject a TGT which does not has the needed authentication indicators. If the KDC rejects the request the ticket validation and hence the authentication will fail.
HTH
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Le 22/12/2020 à 07:52, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp]        softid = {                server = 192.168.0.68:1812                secret = /etc/.radius.secret                strip_realm = true                indicator = strong                #timeout = <integer> (default: 5 [seconds])                #retries = <integer> (default: 3)        }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
  2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN   2 host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
- Why password authentication for bob principal succeeded while authentication indicator is "strong" ?
- Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication only user related operations are preformed. If FAST is left aside it is only asking the KDC for a TGT for the user, the KDC at this point cannot know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will try to validate it by requesting a service ticket for the principal from the keytab. At this point the KDC can check the requirements configured for the host and reject a TGT which does not has the needed authentication indicators. If the KDC rejects the request the ticket validation and hence the authentication will fail.
HTH
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello Sumit,
Thank you for you quick answer and the hint. Now with "krb5_validate = true", TGT obtained without the needed authentication indicator is rejected
[root@client shared]# ssh bob@sssd bob@sssd's password: Permission denied, please try again.
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE: authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
However, I'm still not able to login using bob's *otp*
Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: PREAUTH_FAILED: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Incorrect password in encrypted challenge
pre-authentication using password is prioritized.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not valid. (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000): Recreating ccache (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab] (0x4000): Trying to find principal host/sssd.dns.podman@DNS.PODMAN in keytab. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892571: Getting initial credentials for bob@DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892572: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892573: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krb5_ccache_conf_data/fast_avail/krbtgt/DNS.PODMAN@DNS.PODMAN@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: -1765328243/Matching credential not found
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892575: Getting credentials host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN using ccache MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892576: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892579: Creating authenticator for host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN, seqnum 0, subkey aes256-cts/F61D, session key aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892581: FAST armor key: aes256-cts/A391
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892583: Sending unauthenticated request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892584: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892587: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892588: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892589: Received error from KDC: -1765328359/Additional pre-authentication required
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892590: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892593: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892596: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892597: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [password]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892598: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892599: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892600: Preauth module pkinit (16) (real) returned: 22/Invalid argument
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): Prompt [0][Enter OTP Token Value]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892601: Preauth module otp (141) (real) returned: -1765328254/Cannot read password
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENCRYPTED-CHALLENGE (138)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892605: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892608: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892609: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892610: Received error from KDC: -1765328360/Preauthentication failed
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892611: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892614: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892617: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892618: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response sent.
Do you know if there is a way to tell sssd to enforce otp authentication when a fast channel is available ?
I would like also to customize the prompt login for otp authentication.
Regards
On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
Le 22/12/2020 à 07:52, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp] ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server = 192.168.0.68:1812 ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret = /etc/.radius.secret ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ strip_realm = true ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ indicator = strong ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout = <integer> (default: 5 [seconds]) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries = <integer> (default: 3) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
- Why password authentication for bob principal succeeded while authentication indicator is "strong" ?
- Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication only user related operations are preformed. If FAST is left aside it is only asking the KDC for a TGT for the user, the KDC at this point cannot know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will try to validate it by requesting a service ticket for the principal from the keytab. At this point the KDC can check the requirements configured for the host and reject a TGT which does not has the needed authentication indicators. If the KDC rejects the request the ticket validation and hence the authentication will fail.
HTH
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello Sumit,
Thank you for you quick answer and the hint. Now with "krb5_validate = true", TGT obtained without the needed authentication indicator is rejected
[root@client shared]# ssh bob@sssd bob@sssd's password: Permission denied, please try again.
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE: authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
However, I'm still not able to login using bob's *otp*
Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: PREAUTH_FAILED: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Incorrect password in encrypted challenge
pre-authentication using password is prioritized.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not valid. (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000): Recreating ccache (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab] (0x4000): Trying to find principal host/sssd.dns.podman@DNS.PODMAN in keytab. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892571: Getting initial credentials for bob@DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892572: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892573: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krb5_ccache_conf_data/fast_avail/krbtgt/DNS.PODMAN@DNS.PODMAN@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: -1765328243/Matching credential not found
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892575: Getting credentials host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN using ccache MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892576: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892579: Creating authenticator for host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN, seqnum 0, subkey aes256-cts/F61D, session key aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892581: FAST armor key: aes256-cts/A391
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892583: Sending unauthenticated request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892584: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892587: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892588: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892589: Received error from KDC: -1765328359/Additional pre-authentication required
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892590: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892593: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892596: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892597: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [password]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892598: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892599: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892600: Preauth module pkinit (16) (real) returned: 22/Invalid argument
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): Prompt [0][Enter OTP Token Value]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892601: Preauth module otp (141) (real) returned: -1765328254/Cannot read password
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENCRYPTED-CHALLENGE (138)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892605: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892608: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892609: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892610: Received error from KDC: -1765328360/Preauthentication failed
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892611: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892614: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892617: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892618: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response sent.
Do you know if there is a way to tell sssd to enforce otp authentication when a fast channel is available ?
I would like also to customize the prompt login for otp authentication.
Hi,
you are right, password base authentication is preferred. To change this SSSD must figure out what authentication methods are available before asking the user to enter the credentials.
To achieve this you can just try to call
touch /var/lib/sss/pubconf/pam_preauth_available
and try to authenticate again.
More elegant and since you said you want to customize the prompting anyways is to add something like
[prompting/2fa] first_prompt = Please enter the first factor: second_prompt = Please enter the second factor:
to sssd.conf.
Please note, in the sssd.conf man page there is the option 'single_prompt' documented for '[prompting/2fa]', but since it looks like you want to allow password and otp you have to take the two prompts version because otherwise SSSD would not know if you want to use only the password or if both factor should be used.
HTH
bye, Sumit
Regards
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Le 22/12/2020 à 17:45, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
Le 22/12/2020 à 07:52, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp] ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server = 192.168.0.68:1812 ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret = /etc/.radius.secret ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ strip_realm = true ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ indicator = strong ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout = <integer> (default: 5 [seconds]) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries = <integer> (default: 3) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
- Why password authentication for bob principal succeeded while authentication indicator is "strong" ?
- Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication only user related operations are preformed. If FAST is left aside it is only asking the KDC for a TGT for the user, the KDC at this point cannot know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will try to validate it by requesting a service ticket for the principal from the keytab. At this point the KDC can check the requirements configured for the host and reject a TGT which does not has the needed authentication indicators. If the KDC rejects the request the ticket validation and hence the authentication will fail.
HTH
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello Sumit,
Thank you for you quick answer and the hint. Now with "krb5_validate = true", TGT obtained without the needed authentication indicator is rejected
[root@client shared]# ssh bob@sssd bob@sssd's password: Permission denied, please try again.
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE: authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
However, I'm still not able to login using bob's *otp*
Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: PREAUTH_FAILED: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Incorrect password in encrypted challenge
pre-authentication using password is prioritized.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not valid. (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000): Recreating ccache (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab] (0x4000): Trying to find principal host/sssd.dns.podman@DNS.PODMAN in keytab. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892571: Getting initial credentials for bob@DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892572: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892573: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krb5_ccache_conf_data/fast_avail/krbtgt/DNS.PODMAN@DNS.PODMAN@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: -1765328243/Matching credential not found
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892575: Getting credentials host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN using ccache MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892576: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892579: Creating authenticator for host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN, seqnum 0, subkey aes256-cts/F61D, session key aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892581: FAST armor key: aes256-cts/A391
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892583: Sending unauthenticated request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892584: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892587: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892588: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892589: Received error from KDC: -1765328359/Additional pre-authentication required
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892590: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892593: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892596: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892597: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [password]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892598: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892599: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892600: Preauth module pkinit (16) (real) returned: 22/Invalid argument
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): Prompt [0][Enter OTP Token Value]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892601: Preauth module otp (141) (real) returned: -1765328254/Cannot read password
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENCRYPTED-CHALLENGE (138)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892605: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892608: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892609: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892610: Received error from KDC: -1765328360/Preauthentication failed
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892611: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892614: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892617: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892618: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response sent.
Do you know if there is a way to tell sssd to enforce otp authentication when a fast channel is available ?
I would like also to customize the prompt login for otp authentication.
Hi,
you are right, password base authentication is preferred. To change this SSSD must figure out what authentication methods are available before asking the user to enter the credentials.
To achieve this you can just try to call
touch /var/lib/sss/pubconf/pam_preauth_available
and try to authenticate again.
More elegant and since you said you want to customize the prompting anyways is to add something like
[prompting/2fa] first_prompt = Please enter the first factor: second_prompt = Please enter the second factor:
to sssd.conf.
Please note, in the sssd.conf man page there is the option 'single_prompt' documented for '[prompting/2fa]', but since it looks like you want to allow password and otp you have to take the two prompts version because otherwise SSSD would not know if you want to use only the password or if both factor should be used.
HTH
bye, Sumit
Regards
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
It seems that "*prompting configuration section*" is not supported under rhel 7.9. So, I set up an sssd host under rhel 8.3 and I did
touch /var/lib/sss/pubconf/pam_preauth_available
and added section
[prompting/2fa] single_prompt = true first_prompt = Please enter PIN + OTP value :
in /etc/sssd/sssd.conf
(I just want to allow otp authentication)
Unfortunately, these changes had no effect, I'm still getting the usual password prompt
[root@client ~]# ssh bob@sssd8 bob@sssd8's password:
and password authentication is still prioritized.
[root@sssd8 sssd]# sssctl user-checks -a auth bob user: bob action: auth service: system-auth
SSSD nss user lookup result: - user name: bob - user id: 10004 - group id: 10004 - gecos: bob - home directory: /home/bob - shell: /bin/bash
SSSD InfoPipe user lookup result: - name: bob - uidNumber: 10004 - gidNumber: 10004 - gecos: bob - homeDirectory: /home/bob - loginShell: /bin/bash
testing pam_authenticate
First Factor: Second Factor (optional): pam_authenticate for user [bob]: Authentication failure
PAM Environment: - no env -
Dec 22 19:36:25 kerb.dns.podman krb5kdc[547](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@EDF.FR for krbtgt/EDF.FR@EDF.FR, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[548](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@EDF.FR for krbtgt/EDF.FR@EDF.FR, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: ISSUE: authtime 1608665785, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@EDF.FR for krbtgt/EDF.FR@EDF.FR Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@EDF.FR for host/sssd8.dns.podman@EDF.FR, Required auth indicators not present in ticket: strong Dec 22 19:36:25 kerb.dns.podman krb5kdc[550](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@EDF.FR for host/sssd8.dns.podman@EDF.FR, Required auth indicators not present in ticket: strong
Do you know how to troubleshoot the prompting issue ?
Le 22/12/2020 à 20:51, Abdelkader Chelouah a écrit :
Le 22/12/2020 à 17:45, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
Le 22/12/2020 à 07:52, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp] ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server = 192.168.0.68:1812 ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret = /etc/.radius.secret ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ strip_realm = true ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ indicator = strong ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout = <integer> (default: 5 [seconds]) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries = <integer> (default: 3) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri =ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name:FILE:/etc/krb5.keytab KVNO Principal
ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
- Why password authentication for bob principal succeeded while authentication indicator is "strong" ?
- Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication only user related operations are preformed. If FAST is left aside it is only asking the KDC for a TGT for the user, the KDC at this point cannot know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will try to validate it by requesting a service ticket for the principal from the keytab. At this point the KDC can check the requirements configured for the host and reject a TGT which does not has the needed authentication indicators. If the KDC rejects the request the ticket validation and hence the authentication will fail.
HTH
bye, Sumit
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello Sumit,
Thank you for you quick answer and the hint. Now with "krb5_validate = true", TGT obtained without the needed authentication indicator is rejected
[root@client shared]# ssh bob@sssd bob@sssd's password: Permission denied, please try again.
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE: authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
However, I'm still not able to login using bob's *otp*
Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: PREAUTH_FAILED:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN, Incorrect password in encrypted challenge
pre-authentication using password is prioritized.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not valid. (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000): Recreating ccache (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab] (0x4000): Trying to find principalhost/sssd.dns.podman@DNS.PODMAN in keytab. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892571: Getting initial credentials forbob@DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892572: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892573: Retrievinghost/sssd.dns.podman@DNS.PODMAN -> krb5_ccache_conf_data/fast_avail/krbtgt/DNS.PODMAN@DNS.PODMAN@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: -1765328243/Matching credential not found
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892575: Getting credentialshost/sssd.dns.podman@DNS.PODMAN ->krbtgt/DNS.PODMAN@DNS.PODMAN using ccache MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892576: Retrievinghost/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892579: Creating authenticator for host/sssd.dns.podman@DNS.PODMAN ->krbtgt/DNS.PODMAN@DNS.PODMAN, seqnum 0, subkey aes256-cts/F61D, session key aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892581: FAST armor key: aes256-cts/A391
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892583: Sending unauthenticated request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892584: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892587: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892588: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892589: Received error from KDC: -1765328359/Additional pre-authentication required
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892590: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892593: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892596: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892597: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [password]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892598: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892599: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892600: Preauth module pkinit (16) (real) returned: 22/Invalid argument
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): Prompt [0][Enter OTP Token Value]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892601: Preauth module otp (141) (real) returned: -1765328254/Cannot read password
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENCRYPTED-CHALLENGE (138)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892605: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892608: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892609: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892610: Received error from KDC: -1765328360/Preauthentication failed
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892611: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892614: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892617: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892618: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response sent.
Do you know if there is a way to tell sssd to enforce otp authentication when a fast channel is available ?
I would like also to customize the prompt login for otp authentication.
Hi,
you are right, password base authentication is preferred. To change this SSSD must figure out what authentication methods are available before asking the user to enter the credentials.
To achieve this you can just try to call
touch /var/lib/sss/pubconf/pam_preauth_available
and try to authenticate again.
More elegant and since you said you want to customize the prompting anyways is to add something like
[prompting/2fa] first_prompt = Please enter the first factor: second_prompt = Please enter the second factor:
to sssd.conf.
Please note, in the sssd.conf man page there is the option 'single_prompt' documented for '[prompting/2fa]', but since it looks like you want to allow password and otp you have to take the two prompts version because otherwise SSSD would not know if you want to use only the password or if both factor should be used.
HTH
bye, Sumit
Regards
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
It seems that "*prompting configuration section*" is not supported under rhel 7.9. So, I set up an sssd host under rhel 8.3 and I did
touch /var/lib/sss/pubconf/pam_preauth_available
and added section
[prompting/2fa] single_prompt = true first_prompt = Please enter PIN + OTP value :
in /etc/sssd/sssd.conf
(I just want to allow otp authentication)
Unfortunately, these changes had no effect, I'm still getting the usual password prompt
[root@client ~]# ssh bob@sssd8 bob@sssd8's password:
and password authentication is still prioritized.
[root@sssd8 sssd]# sssctl user-checks -a auth bob user: bob action: auth service: system-auth
SSSD nss user lookup result: - user name: bob - user id: 10004 - group id: 10004 - gecos: bob - home directory: /home/bob - shell: /bin/bash
SSSD InfoPipe user lookup result: - name: bob - uidNumber: 10004 - gidNumber: 10004 - gecos: bob - homeDirectory: /home/bob - loginShell: /bin/bash
testing pam_authenticate
First Factor: Second Factor (optional): pam_authenticate for user [bob]: Authentication failure
PAM Environment: - no env -
Dec 22 19:36:25 kerb.dns.podman krb5kdc[547](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@EDF.FR for krbtgt/EDF.FR@EDF.FR, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[548](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@EDF.FR for krbtgt/EDF.FR@EDF.FR, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: ISSUE: authtime 1608665785, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@EDF.FR for krbtgt/EDF.FR@EDF.FR Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@EDF.FR for host/sssd8.dns.podman@EDF.FR, Required auth indicators not present in ticket: strong Dec 22 19:36:25 kerb.dns.podman krb5kdc[550](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@EDF.FR for host/sssd8.dns.podman@EDF.FR, Required auth indicators not present in ticket: strong
Do you know how to troubleshoot the prompting issue ?
I'm wondering if the possibility to choose the authentication method and customize the prompting is only available for sssd ipa auth provider ?
Le 23/12/2020 à 14:03, Abdelkader Chelouah a écrit :
Le 22/12/2020 à 20:51, Abdelkader Chelouah a écrit :
Le 22/12/2020 à 17:45, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
Le 22/12/2020 à 07:52, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp] ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = { ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server = 192.168.0.68:1812 ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret = /etc/.radius.secret ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ strip_realm = true ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ indicator = strong ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout = <integer> (default: 5 [seconds]) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries = <integer> (default: 3) ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri =ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name:FILE:/etc/krb5.keytab KVNO Principal
ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN ÃÂ ÃÂ 2host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
- Why password authentication for bob principal succeeded while authentication indicator is "strong" ?
- Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication only user related operations are preformed. If FAST is left aside it is only asking the KDC for a TGT for the user, the KDC at this point cannot know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will try to validate it by requesting a service ticket for the principal from the keytab. At this point the KDC can check the requirements configured for the host and reject a TGT which does not has the needed authentication indicators. If the KDC rejects the request the ticket validation and hence the authentication will fail.
HTH
bye, Sumit
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello Sumit,
Thank you for you quick answer and the hint. Now with "krb5_validate = true", TGT obtained without the needed authentication indicator is rejected
[root@client shared]# ssh bob@sssd bob@sssd's password: Permission denied, please try again.
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE: authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
However, I'm still not able to login using bob's *otp*
Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: PREAUTH_FAILED:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN@DNS.PODMAN, Incorrect password in encrypted challenge
pre-authentication using password is prioritized.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not valid. (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000): Recreating ccache (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab] (0x4000): Trying to find principalhost/sssd.dns.podman@DNS.PODMAN in keytab. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892571: Getting initial credentials forbob@DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892572: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892573: Retrievinghost/sssd.dns.podman@DNS.PODMAN -> krb5_ccache_conf_data/fast_avail/krbtgt/DNS.PODMAN@DNS.PODMAN@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: -1765328243/Matching credential not found
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892575: Getting credentialshost/sssd.dns.podman@DNS.PODMAN ->krbtgt/DNS.PODMAN@DNS.PODMAN using ccache MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892576: Retrievinghost/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892579: Creating authenticator for host/sssd.dns.podman@DNS.PODMAN ->krbtgt/DNS.PODMAN@DNS.PODMAN, seqnum 0, subkey aes256-cts/F61D, session key aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892581: FAST armor key: aes256-cts/A391
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892583: Sending unauthenticated request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892584: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892587: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892588: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892589: Received error from KDC: -1765328359/Additional pre-authentication required
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892590: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892593: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892596: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892597: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [password]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892598: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892599: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892600: Preauth module pkinit (16) (real) returned: 22/Invalid argument
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): Prompt [0][Enter OTP Token Value]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892601: Preauth module otp (141) (real) returned: -1765328254/Cannot read password
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENCRYPTED-CHALLENGE (138)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892605: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892608: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892609: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892610: Received error from KDC: -1765328360/Preauthentication failed
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892611: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892614: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892617: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892618: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response sent.
Do you know if there is a way to tell sssd to enforce otp authentication when a fast channel is available ?
I would like also to customize the prompt login for otp authentication.
Hi,
you are right, password base authentication is preferred. To change this SSSD must figure out what authentication methods are available before asking the user to enter the credentials.
To achieve this you can just try to call
touch /var/lib/sss/pubconf/pam_preauth_available
and try to authenticate again.
More elegant and since you said you want to customize the prompting anyways is to add something like
[prompting/2fa] first_prompt = Please enter the first factor: second_prompt = Please enter the second factor:
to sssd.conf.
Please note, in the sssd.conf man page there is the option 'single_prompt' documented for '[prompting/2fa]', but since it looks like you want to allow password and otp you have to take the two prompts version because otherwise SSSD would not know if you want to use only the password or if both factor should be used.
HTH
bye, Sumit
Regards
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list --sssd-users@lists.fedorahosted.org To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
It seems that "*prompting configuration section*" is not supported under rhel 7.9. So, I set up an sssd host under rhel 8.3 and I did
touch /var/lib/sss/pubconf/pam_preauth_available
and added section
[prompting/2fa] single_prompt = true first_prompt = Please enter PIN + OTP value :
in /etc/sssd/sssd.conf
(I just want to allow otp authentication)
Unfortunately, these changes had no effect, I'm still getting the usual password prompt
[root@client ~]# ssh bob@sssd8 bob@sssd8's password:
and password authentication is still prioritized.
[root@sssd8 sssd]# sssctl user-checks -a auth bob user: bob action: auth service: system-auth
SSSD nss user lookup result: - user name: bob - user id: 10004 - group id: 10004 - gecos: bob - home directory: /home/bob - shell: /bin/bash
SSSD InfoPipe user lookup result: - name: bob - uidNumber: 10004 - gidNumber: 10004 - gecos: bob - homeDirectory: /home/bob - loginShell: /bin/bash
testing pam_authenticate
First Factor: Second Factor (optional): pam_authenticate for user [bob]: Authentication failure
PAM Environment: - no env -
Dec 22 19:36:25 kerb.dns.podman krb5kdc[547](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[548](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: ISSUE: authtime 1608665785, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd8.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong Dec 22 19:36:25 kerb.dns.podman krb5kdc[550](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd8.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
Do you know how to troubleshoot the prompting issue ?
I'm wondering if the possibility to choose the authentication method and customize the prompting is only available for sssd ipa auth provider ?
Hello Sumit,
Please, can you confirm that the possibility to choose the authentication method and to customize the prompting is only available for sssd ip auth provider ?
Regards
On Tue, Dec 22, 2020 at 08:51:12PM +0100, Abdelkader Chelouah wrote:
Le 22/12/2020 à 17:45, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
Le 22/12/2020 à07:52, Sumit Bose a écrità:
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication indicator "*strong*".
$ cat kdc.conf
...
[otp] ÃâàÃâàÃâàÃâàÃâàÃâàÃâàsoftid = { ÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàserver = 192.168.0.68:1812 ÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàsecret = /etc/.radius.secret ÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàstrip_realm = true ÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàindicator = strong ÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâà#timeout = <integer> (default: 5 [seconds]) ÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâàÃâà#retries = <integer> (default: 3) ÃâàÃâàÃâàÃâàÃâàÃâàÃâà}
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and *bob.*
$ kadmin.local getstrs alice otp: [{"type":"softid"}]
$ kadmin.local getstrs bob otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration file
[sssd] domains = DNS.PODMAN services = nss,pam,ssh config_file_version = 2 debug_level = 9
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75 debug_level = 9
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
[domain/DNS.PODMAN] debug_level = 0x04000 id_provider = ldap ldap_uri = ldaps://kerb.dns.podman:636/ ldap_search_base = dc=dns,dc=podman ldap_schema = rfc2307bis ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi ldap_sasl_authid = sssd/sssd.dns.podman ldap_krb5_keytab = /etc/sssd/sssd.keytab ldap_krb5_init_creds = true ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman ldap_group_object_class = groupOfNames ldap_group_gid_number = gidNumber ldap_group_member = member
auth_provider = krb5 krb5_server = kerb.dns.podman krb5_realm = DNS.PODMAN cache_credentials = true krb5_keytab = /etc/krb5.keytab krb5_use_fast = try krb5_fast_principal = host/sssd.dns.podman
min_id = 10000 max_id = 20000 #enumerate = False enumerate = True
[ssh] debug_level = 9
# klist -k /etc/krb5.keytab Keytab name: FILE:/etc/krb5.keytab KVNO Principal
ÃâàÃâà2 host/sssd.dns.podman@DNS.PODMAN ÃâàÃâà2 host/sssd.dns.podman@DNS.PODMAN ÃâàÃâà2 host/sssd.dns.podman@DNS.PODMAN ÃâàÃâà2 host/sssd.dns.podman@DNS.PODMAN ÃâàÃâà2 host/sssd.dns.podman@DNS.PODMAN ÃâàÃâà2 host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is working fine
[root@client /]# ssh alice@sssd alice@sssd's password: <otp value> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman [alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with bob's password even if the service principal host/sssd.dns.podman is configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd bob@sssd's password: <bob's password> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman [bob@sssd ~]$
- Why password authentication for bob principal succeeded while authentication indicator is "strong" ?
- Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication only user related operations are preformed. If FAST is left aside it is only asking the KDC for a TGT for the user, the KDC at this point cannot know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will try to validate it by requesting a service ticket for the principal from the keytab. At this point the KDC can check the requirements configured for the host and reject a TGT which does not has the needed authentication indicators. If the KDC rejects the request the ticket validation and hence the authentication will fail.
HTH
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hello Sumit,
Thank you for you quick answer and the hint. Now with "krb5_validate = true", TGT obtained without the needed authentication indicator is rejected
[root@client shared]# ssh bob@sssd bob@sssd's password: Permission denied, please try again.
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE: authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes {rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN, Required auth indicators not present in ticket: strong
However, I'm still not able to login using bob's *otp*
Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional pre-authentication required Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth (encrypted_challenge) verify failure: Incorrect password in encrypted challenge Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: PREAUTH_FAILED: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Incorrect password in encrypted challenge
pre-authentication using password is prioritized.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000): Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not valid. (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000): Recreating ccache (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab] (0x4000): Trying to find principal host/sssd.dns.podman@DNS.PODMAN in keytab. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892571: Getting initial credentials for bob@DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892572: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892573: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krb5_ccache_conf_data/fast_avail/krbtgt/DNS.PODMAN@DNS.PODMAN@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: -1765328243/Matching credential not found
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892575: Getting credentials host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN using ccache MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892576: Retrieving host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892579: Creating authenticator for host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN, seqnum 0, subkey aes256-cts/F61D, session key aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892581: FAST armor key: aes256-cts/A391
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892583: Sending unauthenticated request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892584: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892587: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892588: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892589: Received error from KDC: -1765328359/Additional pre-authentication required
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892590: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892593: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892596: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892597: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [password]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892598: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892599: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892600: Preauth module pkinit (16) (real) returned: 22/Invalid argument
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL. (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000): Prompt [0][Enter OTP Token Value]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892601: Preauth module otp (141) (real) returned: -1765328254/Cannot read password
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE (133), PA-ENCRYPTED-CHALLENGE (138)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892605: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892608: Received answer (545 bytes) from dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892609: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892610: Received error from KDC: -1765328360/Preauthentication failed
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892611: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892614: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt "DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892617: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got question [otp]. (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000): [277] 1608640257.892618: Preauth module pkinit (147) (info) returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response sent.
Do you know if there is a way to tell sssd to enforce otp authentication when a fast channel is available ?
I would like also to customize the prompt login for otp authentication.
Hi,
you are right, password base authentication is preferred. To change this SSSD must figure out what authentication methods are available before asking the user to enter the credentials.
To achieve this you can just try to call
touch /var/lib/sss/pubconf/pam_preauth_available
and try to authenticate again.
More elegant and since you said you want to customize the prompting anyways is to add something like
[prompting/2fa] first_prompt = Please enter the first factor: second_prompt = Please enter the second factor:
to sssd.conf.
Please note, in the sssd.conf man page there is the option 'single_prompt' documented for '[prompting/2fa]', but since it looks like you want to allow password and otp you have to take the two prompts version because otherwise SSSD would not know if you want to use only the password or if both factor should be used.
HTH
bye, Sumit
Regards
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
It seems that "*prompting configuration section*" is not supported under rhel 7.9. So, I set up an sssd host under rhel 8.3 and I did
touch /var/lib/sss/pubconf/pam_preauth_available
and added section
[prompting/2fa] single_prompt = true first_prompt = Please enter PIN + OTP value :
in /etc/sssd/sssd.conf
(I just want to allow otp authentication)
Unfortunately, these changes had no effect, I'm still getting the usual password prompt
[root@client ~]# ssh bob@sssd8 bob@sssd8's password:
Hi,
sorry for the delay due to the holiday season.
Please check if you have ChallengeResponseAuthentication enabled for the sshd server on sssd8. If you have only PasswordAuthentication enabled the ssh client will unconditionally only ask for a password. With ChallengeResponseAuthentication the PAM conversation is forwarded to the client.
HTH
bye, Sumit
and password authentication is still prioritized.
[root@sssd8 sssd]# sssctl user-checks -a auth bob user: bob action: auth service: system-auth
SSSD nss user lookup result:  - user name: bob  - user id: 10004  - group id: 10004  - gecos: bob  - home directory: /home/bob  - shell: /bin/bash
SSSD InfoPipe user lookup result:  - name: bob  - uidNumber: 10004  - gidNumber: 10004  - gecos: bob  - homeDirectory: /home/bob  - loginShell: /bin/bash
testing pam_authenticate
First Factor: Second Factor (optional): pam_authenticate for user [bob]: Authentication failure
PAM Environment: Â - no env -
Dec 22 19:36:25 kerb.dns.podman krb5kdc[547](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@EDF.FR for krbtgt/EDF.FR@EDF.FR, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[548](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob@EDF.FR for krbtgt/EDF.FR@EDF.FR, Additional pre-authentication required Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: ISSUE: authtime 1608665785, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, bob@EDF.FR for krbtgt/EDF.FR@EDF.FR Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@EDF.FR for host/sssd8.dns.podman@EDF.FR, Required auth indicators not present in ticket: strong Dec 22 19:36:25 kerb.dns.podman krb5kdc[550](info): TGS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.19: HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes {rep=UNSUPPORTED:(0)} bob@EDF.FR for host/sssd8.dns.podman@EDF.FR, Required auth indicators not present in ticket: strong
Do you know how to troubleshoot the prompting issue ?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org