On Wed, Nov 22, 2017 at 05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the List,
> 
>  
> 
> This turned out to be a workflow issue, we still have a problem but this
> first use case works.
> 
>  
> 
> In the case of a user with an invalid password (none or expired) with no OTP
> token they can reset their password and ask IPA to create an OTP token for
> them.
> 
>  
> 
> 1.    Helpdesk agent uses FreeIPA API passwd method to issue a temporary
> password and pass it to the user
> 2.    User uses ssh to login to 2FA host
> 3.    SSH forces user through the reset password process and closes
> connection
> 4.    User is not able to login without a OTP Token. A correct result.
> 5.    User uses FreeIPA API otptoken-add method with new password to
> generate & receive OTP token
> 6.    User is now able to SSH with password + OTP token.
> 
>  
> 
> What isn't working is the case where a user has an invalid token (non,
> expired, or just reset) and a valid OTP token.
> 
>  
> 
> 1.    (Optional, but puts user into required state) Helpdesk agent uses
> FreeIPA API passwd method to issue a temporary password and pass it to the
> user
> 2.    User uses ssh to login to 2FA host, which asks for temporary
> password.
> 3.    SSH forces user through reser password process and closes
> connection.
> 4.    User is now able to SSH with password + OTP poken
> 
>  
> 
> In this case step 2 fails. The reset password process looks like this:

How does your sshd PAM configuration looks like, e.g. /etc/pam.d/sshd
(and included files).

bye,
Sumit

> 
>  
> 
> login as: username
> 
> Using keyboard-interactive authentication.
> 
> Password:
> 
> Access denied 
> 
> Using keyboard-interactive authentication.
> 
> Password:
> 
> Using keyboard-interactive authentication.
> 
> Password expired. Change your password now. 
> 
> Current Password:
> 
> Access denied 
> 
>  
> 
> The change password process fails.
> 
>  
> 
> However, if we disable or delete their OTP token (which requires FreeIPA
> admin, not helpdesk role) they're able to reset their password. We don't
> want to have to give admin rights to the helpdesk agent for this.
> 
>  
> 
> This is also complicated by that the FreeIPA API changes behaviour:
> 
> *     With an expired/password user can not connect to the API, even to do
> passwd to reset password
> *     With an OTP token, users have to use passwordOTPCODE to access the
> API, which means they can't manage their otptoken if they've lost it or want
> to disable it so they can reset their password because they forgot it,  or
> delete it.
> 
>  
> 
> Is there a way of allowing users in the helpdesk group/role to be able to
> disable/enable or delete OTP tokens? They don't need to see the content,
> just allow users to restart the password and token request process.
> 
>  
> 
> Is there a fix for the above workflow to allow a user with an OTP token to
> reset their password?
> 
>  
> 
> Regards,
> 
>  
> 
> Aaron Hicks
> 
>  
> 
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
> Sent: Tuesday, 21 November 2017 6:22 PM
> To: freeipa-users@lists.fedorahosted.org
> Subject: Expired passwords and generating an OTP token
> 
>  
> 
> Hello the list,
> 
>  
> 
> I think this is the last thing to make our terrible user management model
> work.
> 
>  
> 
> With a helpdesk role via the REST API we can reset a users password, which
> is expired, because this is the right thing to do.
> 
>  
> 
> These users are expected to log into a node with 2FA using an OTP token
> generated by FreeIPA. This works if a user has a valid password and a token.
> This is the only machine they have access to, as it's they lander node. They
> can not reach the FreeIPA web interface. They can use the FreeIPA API via
> our customer management system (CMS) either as them self or as a helpdek
> agent on their behalf. The CMS auth is SAML via federated shibboleth, so
> does not use our FreeIPA credentials.
> 
>  
> 
> However, we have few use cases we need to work: 
> 
>  
> 
> Can a user generate an OTP token when their password is expired?
> 
>  
> 
> Can a a user reset their password when they do not have an OTP token?
> 
>  
> 
> Can a user reset their password when they can't log in to get the secret
> from thier OTP token?
> 
>  
> 
> I think the shortest routes would be:
> 
>  
> 
> - if a user could reset an expired password via the FreeIPA API, then use
> the otptoken_add method to create one all via our CMS.
> 
>  
> 
> - if a user could reset thier password at the ssh login prompt if they have
> no token or don't have thier token. Then add a token via our CMS.
> 
>  
> 
>  
> 
> Regards,
> 
>  
> 
> Aaron
> 
>  
> 
> Get Outlook for iOS <https://aka.ms/o0ukef> 
> 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to