Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
On 25/10/2016 10:50, Prasun Gera wrote: When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos. It doesn't show it unless it has been set. You can set it like this: # ipa help user-mod ... --principal-expiration=DATETIME Kerberos principal expiration (This is from IPA under CentOS 7. Older versions might not have this feature at all). And as you and David said earlier, if the principal expires, kinit shouldn't work either, right ? Yes I agree. I have just tried setting krbPasswordExpiration to a very old time, using ldapmodify. # ldapmodify -D 'cn=Directory Manager' -W Enter LDAP Password: dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com changetype: modify replace: krbPasswordExpiration krbPasswordExpiration: 2001010100Z - ^D But this works for me: $ sudo -s [sudo] password for bcandler: Password expired. Change your password now. sudo: Account or password is expired, reset your password and try again Current Password: New password: Retype new password: # But actually, I didn't try the web UI with an expired password yet. I'll try that later. Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
> > There appears to be only one case where NAME_EXP is returned: when the > client.expiration field is passed (not client.pw_expiration) > > I think "expiration" must equate to the "principal expiration" in IPA. But > only regular password expiry would give you the option of changing it. > > Thanks Brian. Can you explain a bit more ? When is principal expiration triggered ? I haven't set it explicitly for any user, and ipa user-show doesn't show that attribute either. I'm not very familiar with kerberos. And as you and David said earlier, if the principal expires, kinit shouldn't work either, right ? > Regards, > > Brian. > > === from src/kdc/kdc_util. c === > > /* The client must not be expired */ > if (client.expiration && client.expiration < kdc_time) { > *status = "CLIENT EXPIRED"; > if (vague_errors) > return(KRB_ERR_GENERIC); > else > return(KDC_ERR_NAME_EXP); > } > > /* The client's password must not be expired, unless the server is >a KRB5_KDC_PWCHANGE_SERVICE. */ > if (client.pw_expiration && client.pw_expiration < kdc_time && > !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { > *status = "CLIENT KEY EXPIRED"; > if (vague_errors) > return(KRB_ERR_GENERIC); > else > return(KDC_ERR_KEY_EXP); > } > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
Looking in MIT krb5 source: $ grep -R ERR_NAME_EXP . ./src/include/k5-int.h:#define KDC_ERR_NAME_EXP1 /* Client's entry in DB expired */ ./src/kdc/kdc_util.c:return(KDC_ERR_NAME_EXP); ./src/lib/krb5/error_tables/krb5_err.et:error_code KRB5KDC_ERR_NAME_EXP,"Client's entry in database has expired" There appears to be only one case where NAME_EXP is returned: when the client.expiration field is passed (not client.pw_expiration) The fields are defined in krb5_db_entry in src/include/kdb.h: krb5_timestampexpiration; /* When the client expires */ krb5_timestamppw_expiration;/* When its passwd expires */ I think "expiration" must equate to the "principal expiration" in IPA. But only regular password expiry would give you the option of changing it. Regards, Brian. === from src/kdc/kdc_util. c === /* The client must not be expired */ if (client.expiration && client.expiration < kdc_time) { *status = "CLIENT EXPIRED"; if (vague_errors) return(KRB_ERR_GENERIC); else return(KDC_ERR_NAME_EXP); } /* The client's password must not be expired, unless the server is a KRB5_KDC_PWCHANGE_SERVICE. */ if (client.pw_expiration && client.pw_expiration < kdc_time && !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "CLIENT KEY EXPIRED"; if (vague_errors) return(KRB_ERR_GENERIC); else return(KDC_ERR_KEY_EXP); } -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
David & Brian, I'm familiar with the usual password expiration message that shows up which forces you to change the password. I've seen that before. However, I didn't see it this time, which is odd. Since I was able to kinit, I reset the password, and it started working again. I don't have an account in this failed state currently, but is it possible to force password expiration in order to reproduce this again ? Something like "ipa user-mod myuser --setattr=krbpasswordexpiration=" should work, right ? On Tue, Oct 25, 2016 at 3:54 AM, Brian Candlerwrote: > On 25/10/2016 00:02, Prasun Gera wrote: > > I've seen some different behaviour. I've had errors for users (including > the admin user) trying to log in with possibly an expired password. Both > webui and ssh would fail, but kinit would work. I'm not sure if this is > related to the password's expiration or the account's expiration. My > /var/log/secure has messages like "pam_sss(sshd:auth): received for user > uname: 13 (User account has expired)". Is there a setting for default > expiration of user accounts ? I don't remember setting it anywhere. > > By "account expiration" do you mean the "--principal-expiration" option to > ipa user-xxx? Or is there another setting? > Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants > > $ egrep '\b13\b' /usr/include/security/*pam* > /usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN > 13 > /usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13/* User > account has expired */ > /usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE 13 /* The > type for pam_get_authtok */ > > This to me implies it's not looking at the krbPasswordExpiration > attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for > that instead. > > For me, pam_sss seems to handle expiry correctly. For example if I reset > an account password (which in turn causes it to expire immediately), and > then someone logs in their ssh private key, and subsequently does "sudo", > sudo prompts them for the password, tells them it has expired, but gives > them the opportunity to change it. > > However it's not impossible that the PAM module has some buried logic, > e.g. it refuses to use a password which expired more than X days ago. That > was the reason for my original question. I guess I should try setting some > expiry date way in the past. > > The other thing is to look in the source code for pam_sss to see under > which conditions it returns PAM_ACCT_EXPIRED. The answer is: when it gets > ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn is when > we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is "Client's entry > in database has expired". > > http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5- > admin/Kerberos-V5-Library-Error-Codes.html > > But as has already been said - if the *principal* has expired you > shouldn't be able to login with kinit at all. > > Regards, > > Brian. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
On 25/10/2016 08:29, David Kupka wrote: If I understood Brian correctly he was asking about expiration of NTLM password hashes. Partly. As long as the hash remains in the database and is readable via LDAP, I know it will continue to work for authentication. However I was also asking whether a long-expired password would prevent a user from logging into the webUI or obtaining a kerberos ticket. Scenario is: a user who is mostly wireless-only, who very rarely uses IPA for anything else. Their password expires, and they never notice because it keeps working. However, (say) a year later, they decide to login to IPA for some reason - maybe because they've decided it's time to change their wireless password. Will their old expired password still be usable for this? I'm hoping it would simply tell them that the account has expired and force a password change. Aside: I realise there are other ways I can handle this. Perhaps I *should* make passwords expire for wireless too, by checking the krbPasswordExpiration field in the RADIUS server. But then I need some way to warn people that their passwords are about to expire and give them an opportunity to change it - e.g. by mailing out a warning a couple of weeks before it does. Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
On 25/10/2016 00:02, Prasun Gera wrote: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or the account's expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): received for user uname: 13 (User account has expired)". Is there a setting for default expiration of user accounts ? I don't remember setting it anywhere. By "account expiration" do you mean the "--principal-expiration" option to ipa user-xxx? Or is there another setting? Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants $ egrep '\b13\b' /usr/include/security/*pam* /usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN 13 /usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13/* User account has expired */ /usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */ This to me implies it's not looking at the krbPasswordExpiration attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for that instead. For me, pam_sss seems to handle expiry correctly. For example if I reset an account password (which in turn causes it to expire immediately), and then someone logs in their ssh private key, and subsequently does "sudo", sudo prompts them for the password, tells them it has expired, but gives them the opportunity to change it. However it's not impossible that the PAM module has some buried logic, e.g. it refuses to use a password which expired more than X days ago. That was the reason for my original question. I guess I should try setting some expiry date way in the past. The other thing is to look in the source code for pam_sss to see under which conditions it returns PAM_ACCT_EXPIRED. The answer is: when it gets ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn is when we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is "Client's entry in database has expired". http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Kerberos-V5-Library-Error-Codes.html But as has already been said - if the *principal* has expired you shouldn't be able to login with kinit at all. Regards, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
On 25/10/16 01:02, Prasun Gera wrote: I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or the account's expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): received for user uname: 13 (User account has expired)". Is there a setting for default expiration of user accounts ? I don't remember setting it anywhere. On Mon, Oct 24, 2016 at 8:13 AM, David Kupkawrote: On 21/10/16 15:17, Brian Candler wrote: Question: when a password expires, does it remain in a usable state in the database indefinitely? For example, if someone comes along a year after their password has expired, can they still login once with that password? This is actually what I want, but I just want to confirm there's not some sort of secondary threshold which means that an expired password is not usable X days after it has expired. Or, if there is such a secondary threshold, where I can find it. The scenario is a RADIUS server for wifi which reads NTLM password hashes out of the database to authenticate - this continues to work after expiry. However I want users to be able to do a self-reset later if and when they want to. Thanks, Brian. Hello Brian! AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP and do the validation locally. So FreeIPA has no way to say the password is expired. When the user tries to obtain Kerberos ticket he will be forced to change the password and NTLM hash will be also regenerated. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project Hello Prasun! If I understood Brian correctly he was asking about expiration of NTLM password hashes. In his case there is no checking for password or account expiration. It would need to be done in RADIUS server itself because RADIUS server just fetches the attributes from LDAP and does whatever it is programmed to do. The situation that you're describing looks weird to me. When user's Kerberos Password expires kinit and WebUI forces password change on next login attempt. I don't know how ssh client behaves. When user's Kerberos Principal ("account") expires neither WebUI nor kinit would allow login or password change. Administrator must prolong or remove the Kerberos Principal expiration. By default Kerberos Password expiration is set according relevant to password policy (global_policy by default) and Kerberos Principal expiration is not set. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
I've seen some different behaviour. I've had errors for users (including the admin user) trying to log in with possibly an expired password. Both webui and ssh would fail, but kinit would work. I'm not sure if this is related to the password's expiration or the account's expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): received for user uname: 13 (User account has expired)". Is there a setting for default expiration of user accounts ? I don't remember setting it anywhere. On Mon, Oct 24, 2016 at 8:13 AM, David Kupkawrote: > On 21/10/16 15:17, Brian Candler wrote: > >> Question: when a password expires, does it remain in a usable state in >> the database indefinitely? For example, if someone comes along a year >> after their password has expired, can they still login once with that >> password? >> >> This is actually what I want, but I just want to confirm there's not >> some sort of secondary threshold which means that an expired password is >> not usable X days after it has expired. Or, if there is such a >> secondary threshold, where I can find it. >> >> The scenario is a RADIUS server for wifi which reads NTLM password >> hashes out of the database to authenticate - this continues to work >> after expiry. However I want users to be able to do a self-reset later >> if and when they want to. >> >> Thanks, >> >> Brian. >> >> > Hello Brian! > > AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP > and do the validation locally. So FreeIPA has no way to say the password is > expired. > When the user tries to obtain Kerberos ticket he will be forced to change > the password and NTLM hash will be also regenerated. > > -- > David Kupka > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Do expired passwords remain usable indefinitely?
On 21/10/16 15:17, Brian Candler wrote: Question: when a password expires, does it remain in a usable state in the database indefinitely? For example, if someone comes along a year after their password has expired, can they still login once with that password? This is actually what I want, but I just want to confirm there's not some sort of secondary threshold which means that an expired password is not usable X days after it has expired. Or, if there is such a secondary threshold, where I can find it. The scenario is a RADIUS server for wifi which reads NTLM password hashes out of the database to authenticate - this continues to work after expiry. However I want users to be able to do a self-reset later if and when they want to. Thanks, Brian. Hello Brian! AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP and do the validation locally. So FreeIPA has no way to say the password is expired. When the user tries to obtain Kerberos ticket he will be forced to change the password and NTLM hash will be also regenerated. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Do expired passwords remain usable indefinitely?
Question: when a password expires, does it remain in a usable state in the database indefinitely? For example, if someone comes along a year after their password has expired, can they still login once with that password? This is actually what I want, but I just want to confirm there's not some sort of secondary threshold which means that an expired password is not usable X days after it has expired. Or, if there is such a secondary threshold, where I can find it. The scenario is a RADIUS server for wifi which reads NTLM password hashes out of the database to authenticate - this continues to work after expiry. However I want users to be able to do a self-reset later if and when they want to. Thanks, Brian. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project