Re: [Freeipa-users] Password and OTP auth
Hello If I do ipa user-mod test --user-auth-type=password --user-auth-type=otp I have user: [root@ipa-centos]# ipa user-show test User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: t...@mydomain.com Principal alias: t...@mydomain.com Email address: t...@mydomain.com UID: 15221 GID: 15221 User authentication types: otp, password Account disabled: False Password: True Member of groups: trust admins, ipausers, admins Kerberos keys available: True I can login into ipa-client.mydomain.com to ssh using password+otp token, but for login to IPA Web UI I also need password+otp. I need just password for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com. [root@ipa-centos]# ipa service-show HTTP/ ipa-centos.mydomain@mydomain.com --raw krbcanonicalname: HTTP/ipa-centos.mydomain@mydomain.com krbprincipalname: HTTP/ipa-centos.mydomain@mydomain.com usercertificate: %cert% subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM serial_number: 9 serial_number_hex: 0x9 issuer: CN=Certificate Authority,O=MYDOMAIN.COM valid_not_before: Tue May 16 11:32:36 2017 UTC valid_not_after: Fri May 17 11:32:36 2019 UTC md5_fingerprint: e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1 sha1_fingerprint: de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04 krbprincipalauthind: password has_keytab: TRUE managedby: fqdn=ipa-centos.mydomain.com ,cn=computers,cn=accounts,dc=dev,dc=olabs,dc=global 2017-05-17 12:17 GMT+03:00 Sumit Bose: > On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote: > > Thanks, but I think I have a problem. > > > > I have test user: > > > > [root@ipa-centos]# ipa user-show test > > User login: test > > First name: test > > Last name: test > > Home directory: /home/test > > Login shell: /bin/sh > > Principal name: t...@mydomain.com > > Principal alias: t...@mydomain.com > > Email address: t...@mydomain.com > > UID: 15221 > > GID: 15221 > > As mentioned in the other thread there should be a listing of user auth > types here. Please try > > ipa user-mod test --user-auth-type=password --user-auth-type=otp > > to allow both password and 2-factor/otp authentication. > > > Account disabled: False > > Password: True > > Member of groups: trust admins, ipausers, admins > > Kerberos keys available: True > > > > > > And test host: > > > > [root@ipa-centos]# ipa host-show ipa-client.mydomain.com > > Host name: ipa-client.mydomain.com > > Principal name: host/ipa-client.mydomain@mydomain.com > > Principal alias: host/ipa-client.mydomain@mydomain.com > > SSH public key fingerprint: %SOME FINGERPRINTS% > > Authentication Indicators: otp > > Password: False > > Keytab: True > > Managed by: ipa-client.mydomain.com > > > > > > When I trying to login to ipa-client.mydomain.com with > password+otptoken I > > have error: > > > > [mynotebook]$ ssh t...@ipa-client.mydomain.com > > t...@ipa-client.mydomain.com's password: > > Please check if ChallengeResponseAuthentication is enabled in > /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it > by setting 'ChallengeResponseAuthentication yes'. > > Permission denied, please try again. > > > > > > Same if I trying to use just password. > > > > On ipa server in krb5kdc.log I see: > > > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ > > mydomain@mydomain.com, Additional pre-authentication required > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ > > mydomain@mydomain.com, Additional pre-authentication required > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18 > > ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 > 16 > > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime > 1494946853, > > t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, > Required > > auth indicators not present in ticket: otp > > The otp authentication indicator is missing in the Kerberos ticket of > the user. I assume that the ticket was requested only with the password. > Please see above what might be missing. > > HTH > > bye, > Sumit > > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 > 16 > > 23 25 26})
Re: [Freeipa-users] Password and OTP auth
On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote: > Thanks, but I think I have a problem. > > I have test user: > > [root@ipa-centos]# ipa user-show test > User login: test > First name: test > Last name: test > Home directory: /home/test > Login shell: /bin/sh > Principal name: t...@mydomain.com > Principal alias: t...@mydomain.com > Email address: t...@mydomain.com > UID: 15221 > GID: 15221 As mentioned in the other thread there should be a listing of user auth types here. Please try ipa user-mod test --user-auth-type=password --user-auth-type=otp to allow both password and 2-factor/otp authentication. > Account disabled: False > Password: True > Member of groups: trust admins, ipausers, admins > Kerberos keys available: True > > > And test host: > > [root@ipa-centos]# ipa host-show ipa-client.mydomain.com > Host name: ipa-client.mydomain.com > Principal name: host/ipa-client.mydomain@mydomain.com > Principal alias: host/ipa-client.mydomain@mydomain.com > SSH public key fingerprint: %SOME FINGERPRINTS% > Authentication Indicators: otp > Password: False > Keytab: True > Managed by: ipa-client.mydomain.com > > > When I trying to login to ipa-client.mydomain.com with password+otptoken I > have error: > > [mynotebook]$ ssh t...@ipa-client.mydomain.com > t...@ipa-client.mydomain.com's password: Please check if ChallengeResponseAuthentication is enabled in /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it by setting 'ChallengeResponseAuthentication yes'. > Permission denied, please try again. > > > Same if I trying to use just password. > > On ipa server in krb5kdc.log I see: > > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ > mydomain@mydomain.com, Additional pre-authentication required > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ > mydomain@mydomain.com, Additional pre-authentication required > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18 > ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, > t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required > auth indicators not present in ticket: otp The otp authentication indicator is missing in the Kerberos ticket of the user. I assume that the ticket was requested only with the password. Please see above what might be missing. HTH bye, Sumit > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, > t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required > auth indicators not present in ticket: otp > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 > > What's wrong? > > 2017-05-16 17:16 GMT+03:00 Sumit Bose: > > > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > > > Hello all. > > > > > > tell me please. Is it possible to use password and otp auth at the one > > > moment? > > > > > > For example I have DEV/STAGE servers and want to be able use password > > auth > > > for ssh, but for PROD servers I want to use OTP auth for same user. > > > > Authentication indicators can be used for this. If you add > > > > ipa host-mod --auth-ind=otp prod.server > > > > Only 2-factor authentication should be possible on prod.server. But > > please note that e.g. ssh-key based authentication will still be > > possible as well. > > > > HTH > > > > bye, > > Sumit > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go to http://freeipa.org for more info on the project > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > > > > > -- > С уважением Дудин Андрей -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password and OTP auth
Thanks, but I think I have a problem. I have test user: [root@ipa-centos]# ipa user-show test User login: test First name: test Last name: test Home directory: /home/test Login shell: /bin/sh Principal name: t...@mydomain.com Principal alias: t...@mydomain.com Email address: t...@mydomain.com UID: 15221 GID: 15221 Account disabled: False Password: True Member of groups: trust admins, ipausers, admins Kerberos keys available: True And test host: [root@ipa-centos]# ipa host-show ipa-client.mydomain.com Host name: ipa-client.mydomain.com Principal name: host/ipa-client.mydomain@mydomain.com Principal alias: host/ipa-client.mydomain@mydomain.com SSH public key fingerprint: %SOME FINGERPRINTS% Authentication Indicators: otp Password: False Keytab: True Managed by: ipa-client.mydomain.com When I trying to login to ipa-client.mydomain.com with password+otptoken I have error: [mynotebook]$ ssh t...@ipa-client.mydomain.com t...@ipa-client.mydomain.com's password: Permission denied, please try again. Same if I trying to use just password. On ipa server in krb5kdc.log I see: May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ mydomain@mydomain.com, Additional pre-authentication required May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/ mydomain@mydomain.com, Additional pre-authentication required May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18 ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required auth indicators not present in ticket: otp May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853, t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required auth indicators not present in ticket: otp May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12 What's wrong? 2017-05-16 17:16 GMT+03:00 Sumit Bose: > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > > Hello all. > > > > tell me please. Is it possible to use password and otp auth at the one > > moment? > > > > For example I have DEV/STAGE servers and want to be able use password > auth > > for ssh, but for PROD servers I want to use OTP auth for same user. > > Authentication indicators can be used for this. If you add > > ipa host-mod --auth-ind=otp prod.server > > Only 2-factor authentication should be possible on prod.server. But > please note that e.g. ssh-key based authentication will still be > possible as well. > > HTH > > bye, > Sumit > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- С уважением Дудин Андрей -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Password and OTP auth
On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote: > Hello all. > > tell me please. Is it possible to use password and otp auth at the one > moment? > > For example I have DEV/STAGE servers and want to be able use password auth > for ssh, but for PROD servers I want to use OTP auth for same user. Authentication indicators can be used for this. If you add ipa host-mod --auth-ind=otp prod.server Only 2-factor authentication should be possible on prod.server. But please note that e.g. ssh-key based authentication will still be possible as well. HTH bye, Sumit > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Password and OTP auth
Hello all. tell me please. Is it possible to use password and otp auth at the one moment? For example I have DEV/STAGE servers and want to be able use password auth for ssh, but for PROD servers I want to use OTP auth for same user. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project