URL: https://github.com/freeipa/freeipa/pull/4015 Author: sumit-bose Title: #4015: ipa-kdd: Remove keys password auth is disabled Action: opened
PR body: """ With commit 15ff9c8 a check was removed and as a result Kerberos keys are unconditionally added to the user entry struct if they are available. As a result the password related pre-authentication methods PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH reply to an AS_REQ. With respect to the KDC policies this does not matter much because if password authentication is disabled for the given principal the policy will reject the AS_REQ if the user tries password authentication. This is possible because with commit 15ff9c8 kinit will ask for a password if called without any additional options (e.g. armor ticket or PKINIT identity). Before 15ff9c8 was committed it just failed with 'kinit: Pre-authentication failed: Invalid argument while getting initial credentials' because no suitable pre-authentication method was available. This is the same behavior as if no password was set for the given principal. But with this change SSSD fails to detect the available authentication types for the given principal properly. As described in https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html SSSD uses the MIT Kerberos responder interface to determine the available authentication methods for the principal and does not check the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp) authentication configured, which implies that a password is set as the first factor, the responder interface will always indicate that password authentication is available even if only opt is enabled for the user. In this case SSSD will use a prompting which indicates that the second factor might be optional. Additionally if prompting the user directly is not possible (e.g. ssh with ChallengeResponseAuthentication / KbdInteractiveAuthentication disabled) the single string entered by the user will always be assumed as a password and not as a combination of password and otp-token value. As a consequence authentication will always fail because password authentication is disabled for the user and since SSSD does not do try-and-error 2FA is not tried. This patch add back the check so that if password authentication is not available for the principal the Kerberos will not be added to the entry struct and the KDC will not advertise PA-ENC-TIMESTAMP or PA-ETYPE-INFO2. If you think this is wrong and the behavior added by 15ff9c8 should be preferred SSSD handing of the available authentication types must be extended to read ipaUserAuthType as well to restore the user experience with respect to 2FA prompting and ssh behavior. Related to https://pagure.io/freeipa/issue/8001 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4015/head:pr4015 git checkout pr4015
From a29c424a3144c939bfa0c4dc5e96519f493fae8f Mon Sep 17 00:00:00 2001 From: Sumit Bose <sb...@redhat.com> Date: Wed, 11 Dec 2019 10:47:33 +0100 Subject: [PATCH] ipa-kdd: Remove keys password auth is disabled With commit 15ff9c8 a check was removed and as a result Kerberos keys are unconditionally added to the user entry struct if they are available. As a result the password related pre-authentication methods PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH reply to an AS_REQ. With respect to the KDC policies this does not matter much because if password authentication is disabled for the given principal the policy will reject the AS_REQ if the user tries password authentication. This is possible because with commit 15ff9c8 kinit will ask for a password if called without any additional options (e.g. armor ticket or PKINIT identity). Before 15ff9c8 was committed it just failed with 'kinit: Pre-authentication failed: Invalid argument while getting initial credentials' because no suitable pre-authentication method was available. This is the same behavior as if no password was set for the given principal. But with this change SSSD fails to detect the available authentication types for the given principal properly. As described in https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html SSSD uses the MIT Kerberos responder interface to determine the available authentication methods for the principal and does not check the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp) authentication configured, which implies that a password is set as the first factor, the responder interface will always indicate that password authentication is available even if only opt is enabled for the user. In this case SSSD will use a prompting which indicates that the second factor might be optional. Additionally if prompting the user directly is not possible (e.g. ssh with ChallengeResponseAuthentication / KbdInteractiveAuthentication disabled) the single string entered by the user will always be assumed as a password and not as a combination of password and otp-token value. As a consequence authentication will always fail because password authentication is disabled for the user and since SSSD does not do try-and-error 2FA is not tried. This patch add back the check so that if password authentication is not available for the principal the Kerberos will not be added to the entry struct and the KDC will not advertise PA-ENC-TIMESTAMP or PA-ETYPE-INFO2. If you think this is wrong and the behavior added by 15ff9c8 should be preferred SSSD handing of the available authentication types must be extended to read ipaUserAuthType as well to restore the user experience with respect to 2FA prompting and ssh behavior. Related to https://pagure.io/freeipa/issue/8001 --- daemons/ipa-kdb/ipa_kdb_principals.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index 73085e813b..7da2584737 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -774,6 +774,15 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, &res_key_data, &result, &mkvno); switch (ret) { case 0: + /* Only set a principal's key if password auth should be used to make + * sure that the KDC relies do not advertise password auth if not + * available. */ + if (!(ua & IPADB_USER_AUTH_PASSWORD) && ua != IPADB_USER_AUTH_NONE) { + /* This is the same behavior as ENOENT below. */ + ipa_krb5_free_key_data(res_key_data, result); + break; + } + entry->key_data = res_key_data; entry->n_key_data = result; if (mkvno) {
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org