Le 22/12/2020 à 20:51, Abdelkader Chelouah a écrit :
> Le 22/12/2020 à 17:45, Sumit Bose a écrit :
>> On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
>>> Le 22/12/2020 à 07:52, Sumit Bose a écrit :
>>>> On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
>>>>> Hello,
>>>>>
>>>>>
>>>>> I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication
>>>>> indicator "*strong*".
>>>>>
>>>>> $ cat kdc.conf
>>>>>
>>>>> ...
>>>>>
>>>>> [otp]
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = {
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server =
192.168.0.68:1812
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret =
/etc/.radius.secret
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
strip_realm = true
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ
indicator = strong
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout
= <integer> (default: 5 [seconds])
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries
= <integer> (default: 3)
>>>>> ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
>>>>>
>>>>>
>>>>> The kerberos Realm "DNS.PODMAN" has only two
"otp" principals, *alice* and
>>>>> *bob.*
>>>>>
>>>>>
>>>>> $ kadmin.local getstrs alice
>>>>> otp: [{"type":"softid"}]
>>>>>
>>>>> $ kadmin.local getstrs bob
>>>>> otp: [{"type":"softid"}
>>>>>
>>>>>
>>>>> Alice's password was purged with the command
>>>>>
>>>>>
>>>>> kadmin.local purgekeys -all alice
>>>>>
>>>>>
>>>>> On the sssd host (RHEL 7.9), sssd service uses the following
configuration
>>>>> file
>>>>>
>>>>>
>>>>> [sssd]
>>>>> domains = DNS.PODMAN
>>>>> services = nss,pam,ssh
>>>>> config_file_version = 2
>>>>> debug_level = 9
>>>>>
>>>>> [nss]
>>>>> filter_users = root
>>>>> filter_groups = root
>>>>> reconnection_retries = 3
>>>>> entry_cache_nowait_percentage = 75
>>>>> debug_level = 9
>>>>>
>>>>> [pam]
>>>>> reconnection_retries = 3
>>>>> offline_credentials_expiration = 2
>>>>> offline_failed_login_attempts = 3
>>>>> offline_failed_login_delay = 5
>>>>>
>>>>> [domain/DNS.PODMAN]
>>>>> debug_level = 0x04000
>>>>> id_provider = ldap
>>>>> ldap_uri =ldaps://kerb.dns.podman:636/
>>>>> ldap_search_base = dc=dns,dc=podman
>>>>> ldap_schema = rfc2307bis
>>>>> ldap_tls_reqcert = demand
>>>>> ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
>>>>>
>>>>> ldap_sasl_mech = gssapi
>>>>> ldap_sasl_authid = sssd/sssd.dns.podman
>>>>> ldap_krb5_keytab = /etc/sssd/sssd.keytab
>>>>> ldap_krb5_init_creds = true
>>>>> ldap_krb5_ticket_lifetime = 86400
>>>>>
>>>>> ldap_user_search_base = ou=people,dc=dns,dc=podman
>>>>> ldap_user_object_class = posixAccount
>>>>>
>>>>> ldap_group_search_base = ou=groups,dc=dns,dc=podman
>>>>> ldap_group_object_class = groupOfNames
>>>>> ldap_group_gid_number = gidNumber
>>>>> ldap_group_member = member
>>>>>
>>>>> auth_provider = krb5
>>>>> krb5_server = kerb.dns.podman
>>>>> krb5_realm = DNS.PODMAN
>>>>> cache_credentials = true
>>>>> krb5_keytab = /etc/krb5.keytab
>>>>> krb5_use_fast = try
>>>>> krb5_fast_principal = host/sssd.dns.podman
>>>>>
>>>>> min_id = 10000
>>>>> max_id = 20000
>>>>> #enumerate = False
>>>>> enumerate = True
>>>>>
>>>>> [ssh]
>>>>> debug_level = 9
>>>>>
>>>>> # klist -k /etc/krb5.keytab
>>>>> Keytab name:FILE:/etc/krb5.keytab
>>>>> KVNO Principal
>>>>> ----
>>>>>
--------------------------------------------------------------------------
>>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>>> ÃÂ ÃÂ 2host/sssd.dns.podman(a)DNS.PODMAN
>>>>>
>>>>> The service principal host/sssd.dns.podman is configured to require
the
>>>>> "strong" authentication indicator value.
>>>>>
>>>>> $ kadmin getstrs host/sssd.dns.podman
>>>>> require_auth: strong
>>>>>
>>>>>
>>>>> When ssh to the sssd host with *alice* account, authentication using
otp is
>>>>> working fine
>>>>>
>>>>> [root@client /]# ssh alice@sssd
>>>>> alice@sssd's password: <otp value>
>>>>> Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman
>>>>> [alice@sssd ~]
>>>>>
>>>>>
>>>>> However, if I ssh to the sssd host with *bob* account, I can login
with
>>>>> bob's password even if the service principal host/sssd.dns.podman
is
>>>>> configured to require the "strong" authentication indicator
value
>>>>>
>>>>> [root@client /]# ssh bob@sssd
>>>>> bob@sssd's password: <bob's password>
>>>>> Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman
>>>>> [bob@sssd ~]$
>>>>>
>>>>>
>>>>> 1. Why password authentication for bob principal succeeded while
>>>>> authentication indicator is "strong" ?
>>>>> 2. Is it possible to configure sssd to enforce "otp"
authentication ?
>>>> Hi,
>>>>
>>>> I think it should work as you expect it if you add
>>>>
>>>> krb5_validate = True
>>>>
>>>> to the [domain/...] section of sssd.conf.
>>>>
>>>> This option is needed because with the default Kerberos authentication
>>>> only user related operations are preformed. If FAST is left aside it is
>>>> only asking the KDC for a TGT for the user, the KDC at this point cannot
>>>> know for which service you would like to use it.
>>>>
>>>> With 'krb5_validate = True' after getting the TGT for the user
SSSD will
>>>> try to validate it by requesting a service ticket for the principal from
>>>> the keytab. At this point the KDC can check the requirements configured
>>>> for the host and reject a TGT which does not has the needed
>>>> authentication indicators. If the KDC rejects the request the ticket
>>>> validation and hence the authentication will fail.
>>>>
>>>> HTH
>>>>
>>>> bye,
>>>> Sumit
>>>>
>>>>> _______________________________________________
>>>>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>>>>> To unsubscribe send an email
tosssd-users-leave(a)lists.fedorahosted.org
>>>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
>>>> _______________________________________________
>>>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
>>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
>>> Hello Sumit,
>>>
>>>
>>> Thank you for you quick answer and the hint. Now with "krb5_validate =
>>> true", TGT obtained without the needed authentication indicator is
rejected
>>>
>>> [root@client shared]# ssh bob@sssd
>>> bob@sssd's password:
>>> Permission denied, please try again.
>>>
>>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes
>>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>>> NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional
>>> pre-authentication required
>>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes
>>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE:
>>> authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18),
>>> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
>>> bob(a)DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN
>>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes
>>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>>> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
>>> {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman(a)DNS.PODMAN,
>>> Required auth indicators not present in ticket: strong
>>>
>>> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes
>>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>>> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
>>> {rep=UNSUPPORTED:(0)}bob@DNS.PODMAN forhost/sssd.dns.podman(a)DNS.PODMAN,
>>> Required auth indicators not present in ticket: strong
>>>
>>> However, I'm still not able to login using bob's *otp*
>>>
>>> Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes
>>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>>> NEEDED_PREAUTH:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional
>>> pre-authentication required
>>> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth
>>> (encrypted_challenge) verify failure: Incorrect password in encrypted
>>> challenge
>>> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes
>>> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
>>> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
>>> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
>>> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
>>> PREAUTH_FAILED:bob@DNS.PODMAN forkrbtgt/DNS.PODMAN(a)DNS.PODMAN, Incorrect
>>> password in encrypted challenge
>>>
>>>
>>> pre-authentication using password is prioritized.
>>>
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000):
>>> Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not
>>> valid.
>>> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000):
>>> Recreating ccache
>>> (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab]
>>> (0x4000): Trying to find principalhost/sssd.dns.podman(a)DNS.PODMAN in
>>> keytab.
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892571: Getting initial credentials forbob(a)DNS.PODMAN
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892572: FAST armor ccache:
>>> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892573: Retrievinghost/sssd.dns.podman(a)DNS.PODMAN ->
>>> krb5_ccache_conf_data/fast_avail/krbtgt\/DNS.PODMAN\@DNS.PODMAN(a)X-CACHECONF:
>>> from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result:
>>> -1765328243/Matching credential not found
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892575: Getting credentialshost/sssd.dns.podman(a)DNS.PODMAN
>>> ->krbtgt/DNS.PODMAN(a)DNS.PODMAN using ccache
>>> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892576: Retrievinghost/sssd.dns.podman(a)DNS.PODMAN ->
>>> krbtgt/DNS.PODMAN(a)DNS.PODMAN from
>>> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892579: Creating authenticator for
>>> host/sssd.dns.podman(a)DNS.PODMAN ->krbtgt/DNS.PODMAN(a)DNS.PODMAN, seqnum
0,
>>> subkey aes256-cts/F61D, session key aes256-cts/3774
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892581: FAST armor key: aes256-cts/A391
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892583: Sending unauthenticated request
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892584: Encoding request body and padata into FAST request
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892587: Received answer (545 bytes) from dgram
>>> 10.89.0.16:88
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892588: Response was from master KDC
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892589: Received error from KDC: -1765328359/Additional
>>> pre-authentication required
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892590: Decoding FAST response
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892593: Preauthenticating using KDC method data
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16),
>>> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
>>> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt
>>> "DNS.PODMANbob", params ""
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892596: Received cookie: MIT
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892597: PKINIT client has no configured identity; giving up
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
>>> question [otp].
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
>>> question [password].
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892598: Preauth module pkinit (147) (info) returned:
>>> 0/Success
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892599: PKINIT client has no configured identity; giving up
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892600: Preauth module pkinit (16) (real) returned:
>>> 22/Invalid argument
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
>>> sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
>>> Prompt [0][Enter OTP Token Value].
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892601: Preauth module otp (141) (real) returned:
>>> -1765328254/Cannot read password
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real)
>>> returned: 0/Success
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE
>>> (133), PA-ENCRYPTED-CHALLENGE (138)
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892605: Encoding request body and padata into FAST request
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892608: Received answer (545 bytes) from dgram
>>> 10.89.0.16:88
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892609: Response was from master KDC
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892610: Received error from KDC:
>>> -1765328360/Preauthentication failed
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892611: Decoding FAST response
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892614: Preauthenticating using KDC method data
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16),
>>> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
>>> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt
>>> "DNS.PODMANbob", params ""
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892617: Received cookie: MIT
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
>>> question [otp].
>>> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
>>> [277] 1608640257.892618: Preauth module pkinit (147) (info) returned:
>>> 0/Success
>>>
>>> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response
>>> sent.
>>>
>>>
>>> Do you know if there is a way to tell sssd to enforce otp authentication
>>> when a fast channel is available ?
>>>
>>>
>>> I would like also to customize the prompt login for otp authentication.
>> Hi,
>>
>> you are right, password base authentication is preferred. To change this
>> SSSD must figure out what authentication methods are available before
>> asking the user to enter the credentials.
>>
>> To achieve this you can just try to call
>>
>> touch /var/lib/sss/pubconf/pam_preauth_available
>>
>> and try to authenticate again.
>>
>> More elegant and since you said you want to customize the prompting
>> anyways is to add something like
>>
>> [prompting/2fa]
>> first_prompt = Please enter the first factor:
>> second_prompt = Please enter the second factor:
>>
>> to sssd.conf.
>>
>> Please note, in the sssd.conf man page there is the option
>> 'single_prompt' documented for '[prompting/2fa]', but since it
looks
>> like you want to allow password and otp you have to take the two prompts
>> version because otherwise SSSD would not know if you want to use only
>> the password or if both factor should be used.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> Regards
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
>> _______________________________________________
>> sssd-users mailing list --sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email tosssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of
Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List
Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List
Archives:https://lists.fedorahosted.org/archives/list/sssd-users@lists.fe...
>
> Hi,
>
> It seems that "*prompting configuration section*" is not supported
> under rhel 7.9. So, I set up an sssd host under rhel 8.3 and I did
>
> touch /var/lib/sss/pubconf/pam_preauth_available
>
> and added section
>
> [prompting/2fa]
> single_prompt = true
> first_prompt = Please enter PIN + OTP value :
>
> in /etc/sssd/sssd.conf
>
> (I just want to allow otp authentication)
>
>
> Unfortunately, these changes had no effect, I'm still getting the
> usual password prompt
>
> [root@client ~]# ssh bob@sssd8
> bob@sssd8's password:
>
> and password authentication is still prioritized.
>
> [root@sssd8 sssd]# sssctl user-checks -a auth bob
> user: bob
> action: auth
> service: system-auth
>
> SSSD nss user lookup result:
> - user name: bob
> - user id: 10004
> - group id: 10004
> - gecos: bob
> - home directory: /home/bob
> - shell: /bin/bash
>
> SSSD InfoPipe user lookup result:
> - name: bob
> - uidNumber: 10004
> - gidNumber: 10004
> - gecos: bob
> - homeDirectory: /home/bob
> - loginShell: /bin/bash
>
> testing pam_authenticate
>
> First Factor:
> Second Factor (optional):
> pam_authenticate for user [bob]: Authentication failure
>
> PAM Environment:
> - no env -
>
>
> Dec 22 19:36:25 kerb.dns.podman krb5kdc[547](info): AS_REQ (7 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob(a)DNS.PODMAN
> for krbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional pre-authentication required
> Dec 22 19:36:25 kerb.dns.podman krb5kdc[548](info): AS_REQ (7 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.89.0.19: NEEDED_PREAUTH: bob(a)DNS.PODMAN
> for krbtgt/DNS.PODMAN(a)DNS.PODMAN, Additional pre-authentication required
> Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): AS_REQ (7 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.89.0.19: ISSUE: authtime 1608665785,
> etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> bob(a)DNS.PODMAN for krbtgt/DNS.PODMAN(a)DNS.PODMAN
> Dec 22 19:36:25 kerb.dns.podman krb5kdc[549](info): TGS_REQ (7 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.89.0.19:
> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes
> {rep=UNSUPPORTED:(0)} bob(a)DNS.PODMAN for
> host/sssd8.dns.podman(a)DNS.PODMAN, Required auth indicators not
> present in ticket: strong
> Dec 22 19:36:25 kerb.dns.podman krb5kdc[550](info): TGS_REQ (7 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25),
> camellia256-cts-cmac(26)}) 10.89.0.19:
> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608665785, etypes
> {rep=UNSUPPORTED:(0)} bob(a)DNS.PODMAN for
> host/sssd8.dns.podman(a)DNS.PODMAN, Required auth indicators not
> present in ticket: strong
>
>
> Do you know how to troubleshoot the prompting issue ?
>
>
>
I'm wondering if the possibility to choose the authentication method
and customize the prompting is only available for sssd ipa auth provider ?
Hello Sumit,
Please, can you confirm that the possibility to choose the
authentication method and to customize the prompting is only available
for sssd ip auth provider ?
Regards