Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler 

On 25/10/2016 10:50, Prasun Gera wrote:
When is principal expiration triggered ? I haven't set it explicitly 
for any user, and ipa user-show doesn't show that attribute either. 
I'm not very familiar with kerberos. 

It doesn't show it unless it has been set. You can set it like this:

# ipa help user-mod
...
  --principal-expiration=DATETIME
Kerberos principal expiration

(This is from IPA under CentOS 7. Older versions might not have this 
feature at all).


And as you and David said earlier, if the principal expires, kinit 
shouldn't work either, right ?


Yes I agree. I have just tried setting krbPasswordExpiration to a very 
old time, using ldapmodify.


# ldapmodify -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
changetype: modify
replace: krbPasswordExpiration
krbPasswordExpiration: 2001010100Z
-

^D

But this works for me:

$ sudo -s

[sudo] password for bcandler:
Password expired. Change your password now.
sudo: Account or password is expired, reset your password and try again
Current Password:
New password:
Retype new password:

#


But actually, I didn't try the web UI with an expired password yet. I'll 
try that later.


Regards,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Prasun Gera 
>
> There appears to be only one case where NAME_EXP is returned: when the
> client.expiration field is passed (not client.pw_expiration)
>
> I think "expiration" must equate to the "principal expiration" in IPA. But
> only regular password expiry would give you the option of changing it.
>
>
Thanks Brian. Can you explain a bit more ? When is principal expiration
triggered ? I haven't set it explicitly for any user, and ipa user-show
doesn't show that attribute either. I'm not very familiar with kerberos.
And as you and David said earlier, if the principal expires, kinit
shouldn't work either, right ?



> Regards,
>
> Brian.
>
> === from src/kdc/kdc_util. c ===
>
> /* The client must not be expired */
> if (client.expiration && client.expiration < kdc_time) {
> *status = "CLIENT EXPIRED";
> if (vague_errors)
> return(KRB_ERR_GENERIC);
> else
> return(KDC_ERR_NAME_EXP);
> }
>
> /* The client's password must not be expired, unless the server is
>a KRB5_KDC_PWCHANGE_SERVICE. */
> if (client.pw_expiration && client.pw_expiration < kdc_time &&
> !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
> *status = "CLIENT KEY EXPIRED";
> if (vague_errors)
> return(KRB_ERR_GENERIC);
> else
> return(KDC_ERR_KEY_EXP);
> }
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler 

Looking in MIT krb5 source:

$ grep -R ERR_NAME_EXP .
./src/include/k5-int.h:#define KDC_ERR_NAME_EXP1 /* 
Client's entry in DB expired */

./src/kdc/kdc_util.c:return(KDC_ERR_NAME_EXP);
./src/lib/krb5/error_tables/krb5_err.et:error_code 
KRB5KDC_ERR_NAME_EXP,"Client's entry in database has expired"


There appears to be only one case where NAME_EXP is returned: when the 
client.expiration field is passed (not client.pw_expiration)


The fields are defined in krb5_db_entry in src/include/kdb.h:

krb5_timestampexpiration;   /* When the client 
expires */
krb5_timestamppw_expiration;/* When its passwd 
expires */


I think "expiration" must equate to the "principal expiration" in IPA. 
But only regular password expiry would give you the option of changing it.


Regards,

Brian.

=== from src/kdc/kdc_util. c ===

/* The client must not be expired */
if (client.expiration && client.expiration < kdc_time) {
*status = "CLIENT EXPIRED";
if (vague_errors)
return(KRB_ERR_GENERIC);
else
return(KDC_ERR_NAME_EXP);
}

/* The client's password must not be expired, unless the server is
   a KRB5_KDC_PWCHANGE_SERVICE. */
if (client.pw_expiration && client.pw_expiration < kdc_time &&
!isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
*status = "CLIENT KEY EXPIRED";
if (vague_errors)
return(KRB_ERR_GENERIC);
else
return(KDC_ERR_KEY_EXP);
}

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Prasun Gera 
David & Brian,
I'm familiar with the usual password expiration message that shows up which
forces you to change the password. I've seen that before. However, I didn't
see it this time, which is odd. Since I was able to kinit, I reset the
password, and it started working again. I don't have an account in this
failed state currently, but is it possible to force password expiration in
order to reproduce this again ? Something like "ipa user-mod myuser
--setattr=krbpasswordexpiration=" should work, right ?

On Tue, Oct 25, 2016 at 3:54 AM, Brian Candler  wrote:

> On 25/10/2016 00:02, Prasun Gera wrote:
>
> I've seen some different behaviour. I've had errors for users (including
> the admin user) trying to log in with possibly an expired password. Both
> webui and ssh would fail, but kinit would work. I'm not sure if this is
> related to the password's expiration or the account's expiration. My
> /var/log/secure has messages like "pam_sss(sshd:auth): received for user
> uname: 13 (User account has expired)". Is there a setting for default
> expiration of user accounts ? I don't remember setting it anywhere.
>
> By "account expiration" do you mean the "--principal-expiration" option to
> ipa user-xxx? Or is there another setting?
> Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants
>
> $ egrep '\b13\b' /usr/include/security/*pam*
> /usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN
> 13
> /usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13/* User
> account has expired */
> /usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE   13   /* The
> type for pam_get_authtok */
>
> This to me implies it's not looking at the krbPasswordExpiration
> attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for
> that instead.
>
> For me, pam_sss seems to handle expiry correctly. For example if I reset
> an account password (which in turn causes it to expire immediately), and
> then someone logs in their ssh private key, and subsequently does "sudo",
> sudo prompts them for the password, tells them it has expired, but gives
> them the opportunity to change it.
>
> However it's not impossible that the PAM module has some buried logic,
> e.g. it refuses to use a password which expired more than X days ago. That
> was the reason for my original question.  I guess I should try setting some
> expiry date way in the past.
>
> The other thing is to look in the source code for pam_sss to see under
> which conditions it returns PAM_ACCT_EXPIRED.  The answer is: when it gets
> ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn is when
> we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is "Client's entry
> in database has expired".
>
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-
> admin/Kerberos-V5-Library-Error-Codes.html
>
> But as has already been said - if the *principal* has expired you
> shouldn't be able to login with kinit at all.
>
> Regards,
>
> Brian.
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler 

On 25/10/2016 08:29, David Kupka wrote:
If I understood Brian correctly he was asking about expiration of NTLM 
password hashes.


Partly.

As long as the hash remains in the database and is readable via LDAP, I 
know it will continue to work for authentication.  However I was also 
asking whether a long-expired password would prevent a user from logging 
into the webUI or obtaining a kerberos ticket.


Scenario is: a user who is mostly wireless-only, who very rarely uses 
IPA for anything else. Their password expires, and they never notice 
because it keeps working. However, (say) a year later, they decide to 
login to IPA for some reason - maybe because they've decided it's time 
to change their wireless password.  Will their old expired password 
still be usable for this?  I'm hoping it would simply tell them that the 
account has expired and force a password change.


Aside: I realise there are other ways I can handle this. Perhaps I 
*should* make passwords expire for wireless too, by checking the 
krbPasswordExpiration field in the RADIUS server. But then I need some 
way to warn people that their passwords are about to expire and give 
them an opportunity to change it - e.g. by mailing out a warning a 
couple of weeks before it does.


Regards,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread Brian Candler 

On 25/10/2016 00:02, Prasun Gera wrote:
I've seen some different behaviour. I've had errors for users 
(including the admin user) trying to log in with possibly an expired 
password. Both webui and ssh would fail, but kinit would work. I'm not 
sure if this is related to the password's expiration or the account's 
expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): 
received for user uname: 13 (User account has expired)". Is there a 
setting for default expiration of user accounts ? I don't remember 
setting it anywhere.


By "account expiration" do you mean the "--principal-expiration" option 
to ipa user-xxx? Or is there another setting?


Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants

$ egrep '\b13\b' /usr/include/security/*pam*
/usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN 13
/usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13/* 
User account has expired */
/usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE   13 /* The 
type for pam_get_authtok */


This to me implies it's not looking at the krbPasswordExpiration 
attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for 
that instead.


For me, pam_sss seems to handle expiry correctly. For example if I reset 
an account password (which in turn causes it to expire immediately), and 
then someone logs in their ssh private key, and subsequently does 
"sudo", sudo prompts them for the password, tells them it has expired, 
but gives them the opportunity to change it.


However it's not impossible that the PAM module has some buried logic, 
e.g. it refuses to use a password which expired more than X days ago. 
That was the reason for my original question.  I guess I should try 
setting some expiry date way in the past.


The other thing is to look in the source code for pam_sss to see under 
which conditions it returns PAM_ACCT_EXPIRED.  The answer is: when it 
gets ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn 
is when we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is 
"Client's entry in database has expired".


http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Kerberos-V5-Library-Error-Codes.html

But as has already been said - if the *principal* has expired you 
shouldn't be able to login with kinit at all.


Regards,

Brian.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-25 Thread David Kupka 

On 25/10/16 01:02, Prasun Gera wrote:

I've seen some different behaviour. I've had errors for users (including
the admin user) trying to log in with possibly an expired password. Both
webui and ssh would fail, but kinit would work. I'm not sure if this is
related to the password's expiration or the account's expiration. My
/var/log/secure has messages like "pam_sss(sshd:auth): received for user
uname: 13 (User account has expired)". Is there a setting for default
expiration of user accounts ? I don't remember setting it anywhere.

On Mon, Oct 24, 2016 at 8:13 AM, David Kupka  wrote:


On 21/10/16 15:17, Brian Candler wrote:


Question: when a password expires, does it remain in a usable state in
the database indefinitely? For example, if someone comes along a year
after their password has expired, can they still login once with that
password?

This is actually what I want, but I just want to confirm there's not
some sort of secondary threshold which means that an expired password is
not usable X days after it has expired.  Or, if there is such a
secondary threshold, where I can find it.

The scenario is a RADIUS server for wifi which reads NTLM password
hashes out of the database to authenticate - this continues to work
after expiry. However I want users to be able to do a self-reset later
if and when they want to.

Thanks,

Brian.



Hello Brian!

AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP
and do the validation locally. So FreeIPA has no way to say the password is
expired.
When the user tries to obtain Kerberos ticket he will be forced to change
the password and NTLM hash will be also regenerated.

--
David Kupka


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





Hello Prasun!
If I understood Brian correctly he was asking about expiration of NTLM 
password hashes. In his case there is no checking for password or 
account expiration. It would need to be done in RADIUS server itself 
because RADIUS server just fetches the attributes from LDAP and does 
whatever it is programmed to do.


The situation that you're describing looks weird to me. When user's 
Kerberos Password expires kinit and WebUI forces password change on next 
login attempt. I don't know how ssh client behaves.


When user's Kerberos Principal ("account") expires neither WebUI nor 
kinit would allow login or password change. Administrator must prolong 
or remove the Kerberos Principal expiration.


By default Kerberos Password expiration is set according relevant to 
password policy (global_policy by default) and Kerberos Principal 
expiration is not set.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-24 Thread Prasun Gera 
I've seen some different behaviour. I've had errors for users (including
the admin user) trying to log in with possibly an expired password. Both
webui and ssh would fail, but kinit would work. I'm not sure if this is
related to the password's expiration or the account's expiration. My
/var/log/secure has messages like "pam_sss(sshd:auth): received for user
uname: 13 (User account has expired)". Is there a setting for default
expiration of user accounts ? I don't remember setting it anywhere.

On Mon, Oct 24, 2016 at 8:13 AM, David Kupka  wrote:

> On 21/10/16 15:17, Brian Candler wrote:
>
>> Question: when a password expires, does it remain in a usable state in
>> the database indefinitely? For example, if someone comes along a year
>> after their password has expired, can they still login once with that
>> password?
>>
>> This is actually what I want, but I just want to confirm there's not
>> some sort of secondary threshold which means that an expired password is
>> not usable X days after it has expired.  Or, if there is such a
>> secondary threshold, where I can find it.
>>
>> The scenario is a RADIUS server for wifi which reads NTLM password
>> hashes out of the database to authenticate - this continues to work
>> after expiry. However I want users to be able to do a self-reset later
>> if and when they want to.
>>
>> Thanks,
>>
>> Brian.
>>
>>
> Hello Brian!
>
> AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP
> and do the validation locally. So FreeIPA has no way to say the password is
> expired.
> When the user tries to obtain Kerberos ticket he will be forced to change
> the password and NTLM hash will be also regenerated.
>
> --
> David Kupka
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-24 Thread David Kupka 

On 21/10/16 15:17, Brian Candler wrote:

Question: when a password expires, does it remain in a usable state in
the database indefinitely? For example, if someone comes along a year
after their password has expired, can they still login once with that
password?

This is actually what I want, but I just want to confirm there's not
some sort of secondary threshold which means that an expired password is
not usable X days after it has expired.  Or, if there is such a
secondary threshold, where I can find it.

The scenario is a RADIUS server for wifi which reads NTLM password
hashes out of the database to authenticate - this continues to work
after expiry. However I want users to be able to do a self-reset later
if and when they want to.

Thanks,

Brian.



Hello Brian!

AFAIK, it will work. Your RADIUS server will retrieve the hash from LDAP 
and do the validation locally. So FreeIPA has no way to say the password 
is expired.
When the user tries to obtain Kerberos ticket he will be forced to 
change the password and NTLM hash will be also regenerated.


--
David Kupka

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Do expired passwords remain usable indefinitely?

2016-10-21 Thread Brian Candler 
Question: when a password expires, does it remain in a usable state in 
the database indefinitely? For example, if someone comes along a year 
after their password has expired, can they still login once with that 
password?


This is actually what I want, but I just want to confirm there's not 
some sort of secondary threshold which means that an expired password is 
not usable X days after it has expired.  Or, if there is such a 
secondary threshold, where I can find it.


The scenario is a RADIUS server for wifi which reads NTLM password 
hashes out of the database to authenticate - this continues to work 
after expiry. However I want users to be able to do a self-reset later 
if and when they want to.


Thanks,

Brian.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project