Re: [Freeipa-devel] [PATCH] 531-541 OTP UI

Thu, 06 Feb 2014 05:13:35 -0800 

On 5.2.2014 18:54, Alexander Bokovoy wrote:

On Wed, 05 Feb 2014, Nathaniel McCallum wrote:

On Tue, 2014-01-21 at 17:45 +0100, Petr Vobornik wrote:

from ipaserver.dcerpc import DomainValidator


Patch 541 is NACK because ipaserver.dcerpc only exists in
freeipa-server-trust-ad.

I agree. Instead of modifying a highly specialized code in
ipaserver.dcerpc, you can extend a general purpose kinit code in
ipapython/ipautil.py or add a separate one there to handle FAST part.




I've implemented new version of patch 541 which doesn't use dcerpc 
module (attached).



This new version might be incorrect as well. The new form based login 
works as follows:

- calls kinit with HTTP keytab to get armor ccache
- calls kinit with user credantials and armor_ccache
- calls kdestroy to cleanup the armor_ccache

It was inspired by existing code in dcerpc.py and rpcserver.py.


The question is whether we should avoid calling sub-processes and rather 
use krbV lib as in ipapython.ipautil.kinit_hostprincipal. Rob mentioned 
that subprocess calls within Apache are quite expensive.

--
Petr Vobornik

From ab506a6312515b2f668fda22484c129d6556f8f4 Mon Sep 17 00:00:00 2001
From: Petr Vobornik <[email protected]>
Date: Thu, 9 Jan 2014 14:54:30 +0100
Subject: [PATCH] Support OTP in form based auth

OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor.

https://fedorahosted.org/freeipa/ticket/3369
---
 ipaserver/rpcserver.py | 38 ++++++++++++++++++++++++++++++++------
 1 file changed, 32 insertions(+), 6 deletions(-)

diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index a58c853553daba322be40f15f243082feacf2edd..c05740ded0ecfd3ccc51f33f8e8bfdd80ebf06bc 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -42,12 +42,14 @@ from ipalib.rpc import (xml_dumps, xml_loads,
 from ipalib.util import parse_time_duration, normalize_name
 from ipapython.dn import DN
 from ipaserver.plugins.ldap2 import ldap2
-from ipalib.session import (session_mgr, AuthManager, get_ipa_ccache_name,
+from ipalib.session import (
+    session_mgr, AuthManager, get_ipa_ccache_name,
     load_ccache_data, bind_ipa_ccache, release_ipa_ccache, fmt_time,
-    default_max_session_duration)
+    default_max_session_duration, krbccache_dir, krbccache_prefix)
 from ipalib.backend import Backend
 from ipalib.krb_utils import (
-    KRB5_CCache, krb_ticket_expiration_threshold, krb5_format_principal_name)
+    KRB5_CCache, krb_ticket_expiration_threshold, krb5_format_principal_name,
+    krb5_format_service_principal_name)
 from ipapython import ipautil
 from ipapython.version import VERSION
 from ipalib.text import _
@@ -973,15 +975,39 @@ class login_password(Backend, KerberosSession, HTTP_Status):
         return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
 
     def kinit(self, user, realm, password, ccache_name):
+        # get http service ccache as an armor for FAST to enable OTP authentication
+        armor_principal = krb5_format_service_principal_name(
+            'HTTP', self.api.env.host, realm)
+        keytab = '/etc/httpd/conf/ipa.keytab'
+        armor_name = "%sA_%s" % (krbccache_prefix, user)
+        armor_path = os.path.join(krbccache_dir, armor_name)
+
+        self.debug('Obtaining armor ccache: principal=%s keytab=%s ccache=%s',
+                   armor_principal, keytab, armor_path)
+
+        (stdout, stderr, returncode) = ipautil.run(
+            ['/usr/bin/kinit', '-kt', keytab, armor_principal],
+            env={'KRB5CCNAME': armor_path}, raiseonerr=False)
+
+        if returncode != 0:
+            raise CCacheError()
+
         # Format the user as a kerberos principal
         principal = krb5_format_principal_name(user, realm)
 
-        (stdout, stderr, returncode) = ipautil.run(['/usr/bin/kinit', principal],
-                                                   env={'KRB5CCNAME':ccache_name},
-                                                   stdin=password, raiseonerr=False)
+        (stdout, stderr, returncode) = ipautil.run(
+            ['/usr/bin/kinit', principal, '-T', armor_path],
+            env={'KRB5CCNAME': ccache_name}, stdin=password, raiseonerr=False)
+
         self.debug('kinit: principal=%s returncode=%s, stderr="%s"',
                    principal, returncode, stderr)
 
+        self.debug('Cleanup the armor ccache')
+        ipautil.run(
+            ['/usr/bin/kdestroy', '-A', '-c', armor_path],
+            env={'KRB5CCNAME': armor_path},
+            raiseonerr=False)
+
         if returncode != 0:
             raise InvalidSessionPassword(principal=principal, message=unicode(stderr))
 
-- 
1.8.5.3


_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel





















					Reply via email to