Hi, I am interested in understanding the process of user authentication in the FreeIPA WebUI behind the scenes. However, the available information is scattered, and I am struggling to piece it all together. I have attached a diagram illustrating my current understanding, which I know is incorrect. To clarify my confusion, I will break down each point into specific questions:
https://tinyurl.com/freeipa-auth - link to the scheme in draw.io https://imgur.com/mQEvred - scheme image 1. So user is already sees before him FreeIPA login form. He types his login/password and submits the form 2. Request goes to /ipa/login_password. /ipa/login_password location by itself does not offer much: <Location "/ipa/session/login_password"> Satisfy Any Require all granted </Location> The interesting part is actually at /ipa location which handled by mod_auth_gssapi: <Location "/ipa"> AuthType GSSAPI AuthName "Kerberos Login" GssapiUseSessions On Session On SessionCookieName ipa_session path=/ipa;httponly;secure; SessionHeader IPASESSION GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiImpersonate On GssapiDelegCcacheDir /run/ipa/ccaches GssapiDelegCcachePerms mode:0660 GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" Header unset Set-Cookie Header unset ETag FileETag None </Location> Here is where things become vague for me. We see *GssapiImpersonate On* and *GssapiUseS4U2Proxy on*. ``` GssapiImpersonate This option can be used even if AuthType GSSAPI is not used for given Location or LocationMatch, to obtain service ticket for a user that was already authenticated by different module ``` and ``` GssapiUseS4U2Proxy Enables the use of the s4u2Proxy Kerberos extension also known as constrained delegation This option allows an application running within Apache to operate on behalf of the user against other servers by using the provided ticket (subject to KDC authorization). ``` So why do we need both? Isn't GssapiUseS4U2Proxy enough to issue service tickets on behalf of user and use them? Also, is there is no TGT actually obtained for the client's principal, only service tickets? 3. Here I have basic understanding that Apache need somehow to talk to KDC. It does it with help of mod_auth_gssapi, which implements GSS-API interface for Apache. Apache itself does not aware of any KDC or other auth provider present, cause there is no settings in apache config about it. So let's say apache makes some gssapi function call to initiate exchange. - Does it start with SPNEGO negotioation, or directly "asks" for kerberos5 mechanism? (cause it is in the settings GssapiAllowedMech krb5). We have a /etc/gss file with following settings: [root@ipa-test conf.d]# cat /etc/gss/mech.d/gssproxy.conf # GSS-API mechanism plugins # # Mechanism Name Object Identifier Shared Library Path Other Options gssproxy_v1 2.16.840.1.113730.3.8.15.1 /usr/lib64/gssproxy/proxymech.so <interposer> I guess by it we can confirm that gssproxy intercept all the gssapi calls on the host? Next look at the gssproxy config for the ipa: [root@ipa-test ~]# cat /etc/gssproxy/10-ipa.conf #Installed and maintained by ipa update tools, please do not modify [service/ipa-httpd] mechs = krb5 cred_store = keytab:/var/lib/ipa/gssproxy/http.keytab cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab allow_protocol_transition = true allow_client_ccache_sync = true cred_usage = both euid = apache [service/ipa-api] mechs = krb5 cred_store = keytab:/var/lib/ipa/gssproxy/http.keytab allow_constrained_delegation = true allow_client_ccache_sync = true cred_usage = initiate euid = ipaapi [service/ipa-sweeper] mechs = krb5 cred_store = keytab:/var/lib/ipa/gssproxy/http.keytab socket = /var/lib/gssproxy/ipa_ccache_sweeper.sock euid = ipaapi cred_usage = initiate Let's review options for ipa-httpd and ipa-api services: - allow_protocol_transition (This option controls whether s4u2self requests are allowed for the requesting client) Ok, understandable, we need it in conjuction with GssapiUseS4U2Proxy on of the Apache, otherways it won't work. Though it is present for service/ipa-api and not for the service/ipa-httpd. Why so? - allow_client_ccache_sync This one is kind of vague for me. This option allows the proxy, in certain circumstances, to send back an additional option in the response structure of certain calls when it determines that a new ticket may have been added to the internal ccache. Clients can then replace their (encrypted) copy with the updated ccache. So gssproxy injects option in response for a client (apache in our case?) to renew service tickets? What are the "certain calls"? - allow_protocol_transition So, this one is enabled only for ipa-httpd. This option controls whether s4u2self requests are allowed for the requesting client. This is shows that for some reason for ipa-httpd service we only have s4u2self allowed type of requests and for ipa-api service we have s4u2proxy. Mm, why not both? I guess those interaction between Apache and KDC through gssproxy are the most vague in all of this. 4. Somehow user getting autheticated. But there is no TGT, is it? So how is it done? 5. What next is gssapi calls are getting intercepted by gssproxy, and when service tickets are recieved they are encrypted by it, so httpd process has no direct access to it, it can't decrypt it. This design likely aims to protect credentials in case of a successful attack on the Apache process. 6. After ldap service tickets aquired (stored in the /run/ipa/ccaches), apache access ldap on behalf of the user. Or better I say python code make ldap request to LDAP server, in GSS context that was handled by apache. 7. Getting data from LDAP 8. Perfoming http response with data from LDAP, and setting a coockie ipa_session. What is in the cookie, by the way? I thought it was TGT but now I'm not that sure So each point highlight my areas of confusion, and I would appreciate any corrections or insights from anyone familiar with the FreeIPA client authentication process. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
