Hello the List,
This turned out to be a workflow issue, we still have a problem but this first use case works. In the case of a user with an invalid password (none or expired) with no OTP token they can reset their password and ask IPA to create an OTP token for them. 1. Helpdesk agent uses FreeIPA API passwd method to issue a temporary password and pass it to the user 2. User uses ssh to login to 2FA host 3. SSH forces user through the reset password process and closes connection 4. User is not able to login without a OTP Token. A correct result. 5. User uses FreeIPA API otptoken-add method with new password to generate & receive OTP token 6. User is now able to SSH with password + OTP token. What isn't working is the case where a user has an invalid token (non, expired, or just reset) and a valid OTP token. 1. (Optional, but puts user into required state) Helpdesk agent uses FreeIPA API passwd method to issue a temporary password and pass it to the user 2. User uses ssh to login to 2FA host, which asks for temporary password. 3. SSH forces user through reser password process and closes connection. 4. User is now able to SSH with password + OTP poken In this case step 2 fails. The reset password process looks like this: login as: username Using keyboard-interactive authentication. Password: Access denied Using keyboard-interactive authentication. Password: Using keyboard-interactive authentication. Password expired. Change your password now. Current Password: Access denied The change password process fails. However, if we disable or delete their OTP token (which requires FreeIPA admin, not helpdesk role) they're able to reset their password. We don't want to have to give admin rights to the helpdesk agent for this. This is also complicated by that the FreeIPA API changes behaviour: * With an expired/password user can not connect to the API, even to do passwd to reset password * With an OTP token, users have to use passwordOTPCODE to access the API, which means they can't manage their otptoken if they've lost it or want to disable it so they can reset their password because they forgot it, or delete it. Is there a way of allowing users in the helpdesk group/role to be able to disable/enable or delete OTP tokens? They don't need to see the content, just allow users to restart the password and token request process. Is there a fix for the above workflow to allow a user with an OTP token to reset their password? Regards, Aaron Hicks From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] Sent: Tuesday, 21 November 2017 6:22 PM To: freeipa-users@lists.fedorahosted.org Subject: Expired passwords and generating an OTP token Hello the list, I think this is the last thing to make our terrible user management model work. With a helpdesk role via the REST API we can reset a users password, which is expired, because this is the right thing to do. These users are expected to log into a node with 2FA using an OTP token generated by FreeIPA. This works if a user has a valid password and a token. This is the only machine they have access to, as it's they lander node. They can not reach the FreeIPA web interface. They can use the FreeIPA API via our customer management system (CMS) either as them self or as a helpdek agent on their behalf. The CMS auth is SAML via federated shibboleth, so does not use our FreeIPA credentials. However, we have few use cases we need to work: Can a user generate an OTP token when their password is expired? Can a a user reset their password when they do not have an OTP token? Can a user reset their password when they can't log in to get the secret from thier OTP token? I think the shortest routes would be: - if a user could reset an expired password via the FreeIPA API, then use the otptoken_add method to create one all via our CMS. - if a user could reset thier password at the ssh login prompt if they have no token or don't have thier token. Then add a token via our CMS. Regards, Aaron Get Outlook for iOS <https://aka.ms/o0ukef>
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
