Hello the List,


This turned out to be a workflow issue, we still have a problem but this
first use case works.


In the case of a user with an invalid password (none or expired) with no OTP
token they can reset their password and ask IPA to create an OTP token for


1.      Helpdesk agent uses FreeIPA API passwd method to issue a temporary
password and pass it to the user
2.      User uses ssh to login to 2FA host
3.      SSH forces user through the reset password process and closes
4.      User is not able to login without a OTP Token. A correct result.
5.      User uses FreeIPA API otptoken-add method with new password to
generate & receive OTP token
6.      User is now able to SSH with password + OTP token.


What isn't working is the case where a user has an invalid token (non,
expired, or just reset) and a valid OTP token.


1.      (Optional, but puts user into required state) Helpdesk agent uses
FreeIPA API passwd method to issue a temporary password and pass it to the
2.      User uses ssh to login to 2FA host, which asks for temporary
3.      SSH forces user through reser password process and closes
4.      User is now able to SSH with password + OTP poken


In this case step 2 fails. The reset password process looks like this:


login as: username

Using keyboard-interactive authentication.


Access denied 

Using keyboard-interactive authentication.


Using keyboard-interactive authentication.

Password expired. Change your password now. 

Current Password:

Access denied 


The change password process fails.


However, if we disable or delete their OTP token (which requires FreeIPA
admin, not helpdesk role) they're able to reset their password. We don't
want to have to give admin rights to the helpdesk agent for this.


This is also complicated by that the FreeIPA API changes behaviour:

*       With an expired/password user can not connect to the API, even to do
passwd to reset password
*       With an OTP token, users have to use passwordOTPCODE to access the
API, which means they can't manage their otptoken if they've lost it or want
to disable it so they can reset their password because they forgot it,  or
delete it.


Is there a way of allowing users in the helpdesk group/role to be able to
disable/enable or delete OTP tokens? They don't need to see the content,
just allow users to restart the password and token request process.


Is there a fix for the above workflow to allow a user with an OTP token to
reset their password?




Aaron Hicks


From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Tuesday, 21 November 2017 6:22 PM
To: freeipa-users@lists.fedorahosted.org
Subject: Expired passwords and generating an OTP token


Hello the list,


I think this is the last thing to make our terrible user management model


With a helpdesk role via the REST API we can reset a users password, which
is expired, because this is the right thing to do.


These users are expected to log into a node with 2FA using an OTP token
generated by FreeIPA. This works if a user has a valid password and a token.
This is the only machine they have access to, as it's they lander node. They
can not reach the FreeIPA web interface. They can use the FreeIPA API via
our customer management system (CMS) either as them self or as a helpdek
agent on their behalf. The CMS auth is SAML via federated shibboleth, so
does not use our FreeIPA credentials.


However, we have few use cases we need to work: 


Can a user generate an OTP token when their password is expired?


Can a a user reset their password when they do not have an OTP token?


Can a user reset their password when they can't log in to get the secret
from thier OTP token?


I think the shortest routes would be:


- if a user could reset an expired password via the FreeIPA API, then use
the otptoken_add method to create one all via our CMS.


- if a user could reset thier password at the ssh login prompt if they have
no token or don't have thier token. Then add a token via our CMS.







Get Outlook for iOS <https://aka.ms/o0ukef> 

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to