I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was. In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)".
What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this option, kinit already opportunistically uses SPAKE: $ kinit [..] [1503880] 1639651033.064871: Received error from KDC: -1765328359/Additional pre-authentication required [1503880] 1639651033.064874: Preauthenticating using KDC method data [1503880] 1639651033.064875: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1503880] 1639651033.064876: Selected etype info: etype aes256-cts, salt "xxx", params "" [1503880] 1639651033.064877: Received cookie: xxx [1503880] 1639651033.064878: PKINIT client has no configured identity; giving up [1503880] 1639651033.064879: Preauth module pkinit (147) (info) returned: 0/Success [1503880] 1639651033.064880: PKINIT client received freshness token from KDC [1503880] 1639651033.064881: Preauth module pkinit (150) (info) returned: 0/Success [1503880] 1639651033.064882: PKINIT client has no configured identity; giving up [1503880] 1639651033.064883: Preauth module pkinit (16) (real) returned: 22/Invalid argument [1503880] 1639651033.064884: SPAKE challenge received with group 1, pubkey xxx Password for u...@ipa.example.qq': ^C [1503880] 1639651047.197022: Preauth module spake (151) (real) returned: -1765328252/Password read interrupted kinit: Password read interrupted while getting initial credentials So far so good. The client can be forced to do so by setting 'disable_encrypted_timestamp = true' for the realm in krb5.conf. But krb5.conf(5) remarks, "This flag does not prevent the KDC from offering encrypted timestamp." It seems like the 'ipa user-mod --auth-user-type=hardened' might be a way to enforce the use of SPAKE/FAST on the server side, but once that is set on a user, the client doesn't seem to use SPAKE, it just gives up: $ kinit [...] [1504024] 1639651111.830018: Received error from KDC: -1765328359/Additional pre-authentication required [1504024] 1639651111.830021: Preauthenticating using KDC method data [1504024] 1639651111.830022: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [1504024] 1639651111.830023: Received cookie: xxx [1504024] 1639651111.830024: PKINIT client has no configured identity; giving up [1504024] 1639651111.830025: Preauth module pkinit (147) (info) returned: 0/Success [1504024] 1639651111.830026: PKINIT client received freshness token from KDC [1504024] 1639651111.830027: Preauth module pkinit (150) (info) returned: 0/Success [1504024] 1639651111.830028: PKINIT client has no configured identity; giving up [1504024] 1639651111.830029: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials The 'hardened' option also seems to break FAST: $ kinit -c /tmp/blah -n && kinit -T /tmp/blah [...] [1504775] 1639652353.929814: Using FAST due to armor ccache negotiation result [1504775] 1639652353.929815: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/ipa.example...@ipa.example.qq using ccache FILE:/tmp/blah [1504775] 1639652353.929816: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/ipa.example...@ipa.example.qq from FILE:/tmp/blah with result: 0/Success [1504775] 1639652353.929817: Armor ccache sesion key: aes256-cts/0286 [1504775] 1639652353.929819: Creating authenticator for WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/ipa.example...@ipa.example.qq , seqnum 0, subkey aes256-cts/12F1, session key aes256-cts/0286 [1504775] 1639652353.929821: FAST armor key: aes256-cts/0BB2 [1504775] 1639652353.929823: Sending unauthenticated request [1504775] 1639652353.929824: Encoding request body and padata into FAST request [...] [1504775] 1639652353.929829: Received error from KDC: -1765328359/Additional pre-authentication required [1504775] 1639652353.929830: Decoding FAST response [1504775] 1639652353.929833: Preauthenticating using KDC method data [1504775] 1639652353.929834: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137) [1504775] 1639652353.929835: Received cookie: MIT [1504775] 1639652353.929836: PKINIT client has no configured identity; giving up [1504775] 1639652353.929837: Preauth module pkinit (147) (info) returned: 0/Success [1504775] 1639652353.929838: PKINIT client received freshness token from KDC [1504775] 1639652353.929839: Preauth module pkinit (150) (info) returned: 0/Success [1504775] 1639652353.929840: PKINIT client has no configured identity; giving up [1504775] 1639652353.929841: Preauth module pkinit (16) (real) returned: 22/Invalid argument kinit: Pre-authentication failed: Invalid argument while getting initial credentials Documentation for the meaning of the hardened setting is a bit thin... can anyone fill me in? -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
