Oh, this requires the pam_krb5 package :P

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Aaron Hicks <aaron.hi...@nesi.org.nz>
Sent: Tuesday, November 28, 2017 2:28:15 PM
To: 'FreeIPA users list'
Cc: 'Sumit Bose'
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the List,


We have a workaround, but it is not entirely satisfactory, we change 
/etc/pam.d/password-auth-ac



password    requisite     pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=

password    sufficient    pam_unix.so sha512 shadow try_first_pass use_authtok

#password    sufficient    pam_sss.so use_authtok

password    sufficient    pam_krb5.so chpw_prompt=true use_authok # fix for 
password reset



This allows a user to reset a password if expired, but gives them shell rather 
than disconnecting. New ssh connections now require 2FA.



We’re now quite certain it’s a bug in sssd & pam_sss



Regards,



Aaron


From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Friday, 24 November 2017 4:57 PM
To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
Cc: 'Sumit Bose' <sb...@redhat.com>
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the list,

It’s here: 
https://pagure.io/SSSD/sssd/blob/master/f/src/providers/ipa/ipa_auth.c#_395

SSSD is not doing its job properly when a user has an expired password and an 
OTP token, and they should reset their password at the ssh prompt.

When a user has an expired password it should ignore the OTP token during 
password reset process, and then disconnect.

The condition where an expired or compromised temporary password is obtained by 
an unauthorised entity means that as long as the unauthorised entity does not 
have the OTP token secret, the worst they can do is reset your password. This 
condition is escaped when someone, either the user, a helpdesk agent, or an 
admin, resets the password to something the unauthorised entity doesn’t know.

The case of the unauthorised entity having both the password and OTP token is 
already recognised as a compromised state, so the code doesn’t need to protect 
us from that.

Regards,

Aaron

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Thursday, 23 November 2017 5:44 PM
To: 'FreeIPA users list' 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: 'Sumit Bose' <sb...@redhat.com<mailto:sb...@redhat.com>>
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP token

Progress,

We made Pam use kinit username when a user had an expired password, and this 
allowed users to reset passwords at the ssh prompt.

However passwd remains broken on all the hosts, regardless of their auth 
indicator.

Aaron

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Aaron Hicks <aaron.hi...@nesi.org.nz<mailto:aaron.hi...@nesi.org.nz>>
Sent: Thursday, November 23, 2017 4:25:12 PM
To: 'FreeIPA users list'
Cc: 'Sumit Bose'
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the list,

The next bit of information is that the passwd command itself is broken when a 
user has a OTP token set.

$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error
$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error
$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error
$ passwd
Changing password for user otpuser1.
Current Password:
passwd: Authentication token manipulation error

These were with the user’s valid-not-expired password, and with passwordOTPCODE

The Current Password: prompt fails.


Regards,

Aaron


From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Thursday, 23 November 2017 3:44 PM
To: 'FreeIPA users list' 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: 'Sumit Bose' <sb...@redhat.com<mailto:sb...@redhat.com>>
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the list,

We’ve kept at this today and this is what we think we are seeing:


  *   Preauth is detecting that a user has an expired password and a token, so 
discards the token and just asks for password
  *   Password check succeeds and hands to the password change process (maybe 
using /etc/pam.d/passwd and /etc/pam.d/system-auth)
  *   BUT the Current Password: check fails because it doesn’t preauth to check 
if the password is expired
  *   AND because the password is expired passwordOTPCODE is not valid either

Similarly, accounts with expired passwords can’t authenticate against the API 
because their password is expired. Which would at least allow our customer 
management system to disable or delete their OTP token so they can reset their 
passwords.

In addition to this, users are not able to reset passwords at the ssh login on 
hosts where 2FA is not enabled either! So this seems to be narrowing down on 
the bits of pam and sssd uset to authenticate the password change process.

An interesting note is, kinit does not require OTPCODE.

Finally, no users do not have access to the FreeIPA web interface or a host 
without 2FA. The 2FA secured host is to be their lander node into our network.

Regards,

Aaron
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Thursday, 23 November 2017 10:33 AM
To: 'FreeIPA users list' 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
Cc: 'Sumit Bose' <sb...@redhat.com<mailto:sb...@redhat.com>>
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hello the List,

A couple of new things to this problem, when a user has an expired password and 
a valid OTP token, the password reset process is broken on all machines at the 
ssh prompt. Even the ones that do not require 2FA.

Feedback so far form Sumit indicates this is incorrect behaviour.

As an attempt to get around this, I’ve tried adding a permission to the 
helpdesk role that would allow them to manage OTP tokens. I’ll submit another 
thread on that.

Regards,

Aaron

From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
Sent: Thursday, 23 November 2017 6:31 AM
To: Sumit Bose <sb...@redhat.com<mailto:sb...@redhat.com>>
Cc: 'FreeIPA users list' 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>;
 'Sumit Bose' <sb...@redhat.com<mailto:sb...@redhat.com>>
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hi Sumit,

I sent those to you directly as I wasn’t comfortable posting them to the list.

Regards,

Aaron

Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Sumit Bose <sb...@redhat.com<mailto:sb...@redhat.com>>
Sent: Wednesday, November 22, 2017 10:19:34 PM
To: Aaron Hicks
Cc: 'FreeIPA users list'; 'Sumit Bose'
Subject: Re: [Freeipa-users] Re: Expired passwords and generating an OTP token

On Wed, Nov 22, 2017 at 09:21:52PM +1300, Aaron Hicks wrote:
> Hi Sumit,
>
> Here is /etc/pam.d/password-auth I missed that it was an include, an that you 
> wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install
>

ok, the PAM configuration looks good. Can you send me the PAM related
messages form /var/log/secure or the journal which cover the failed
attempt? And additionally the SSSD logs with debug_level=9 from the same
time. Most important would be sssd_pam.log, sssd_domain.name.log and
krb5_child-log.

bye,
Sumit
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to