subject:"\[Freeipa\-users\] Password and OTP auth"

Re: [Freeipa-users] Password and OTP auth

2017-05-17 Thread Andrey Dudin

Hello

If I do  ipa user-mod test --user-auth-type=password --user-auth-type=otp I
have user:

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  User authentication types: otp, password
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True

I can login into ipa-client.mydomain.com to ssh using password+otp token,
but for login to IPA Web UI I also need password+otp. I need just password
for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com.


[root@ipa-centos]# ipa service-show HTTP/
ipa-centos.mydomain@mydomain.com --raw
  krbcanonicalname: HTTP/ipa-centos.mydomain@mydomain.com
  krbprincipalname: HTTP/ipa-centos.mydomain@mydomain.com
  usercertificate: %cert%
  subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM
  serial_number: 9
  serial_number_hex: 0x9
  issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  valid_not_before: Tue May 16 11:32:36 2017 UTC
  valid_not_after: Fri May 17 11:32:36 2019 UTC
  md5_fingerprint: e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1
  sha1_fingerprint:
de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04
  krbprincipalauthind: password
  has_keytab: TRUE
  managedby: fqdn=ipa-centos.mydomain.com
,cn=computers,cn=accounts,dc=dev,dc=olabs,dc=global

2017-05-17 12:17 GMT+03:00 Sumit Bose :

> On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:
> > Thanks, but I think I have a problem.
> >
> > I have test user:
> >
> > [root@ipa-centos]# ipa user-show test
> >   User login: test
> >   First name: test
> >   Last name: test
> >   Home directory: /home/test
> >   Login shell: /bin/sh
> >   Principal name: t...@mydomain.com
> >   Principal alias: t...@mydomain.com
> >   Email address: t...@mydomain.com
> >   UID: 15221
> >   GID: 15221
>
> As mentioned in the other thread there should be a listing of user auth
> types here. Please try
>
> ipa user-mod test --user-auth-type=password --user-auth-type=otp
>
> to allow both password and 2-factor/otp authentication.
>
> >   Account disabled: False
> >   Password: True
> >   Member of groups: trust admins, ipausers, admins
> >   Kerberos keys available: True
> >
> >
> > And test host:
> >
> > [root@ipa-centos]# ipa host-show ipa-client.mydomain.com
> >   Host name: ipa-client.mydomain.com
> >   Principal name: host/ipa-client.mydomain@mydomain.com
> >   Principal alias: host/ipa-client.mydomain@mydomain.com
> >   SSH public key fingerprint: %SOME FINGERPRINTS%
> >   Authentication Indicators: otp
> >   Password: False
> >   Keytab: True
> >   Managed by: ipa-client.mydomain.com
> >
> >
> > When I trying to login to ipa-client.mydomain.com with
> password+otptoken I
> > have error:
> >
> > [mynotebook]$ ssh t...@ipa-client.mydomain.com
> > t...@ipa-client.mydomain.com's password:
>
> Please check if ChallengeResponseAuthentication is enabled in
> /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it
> by setting 'ChallengeResponseAuthentication yes'.
> > Permission denied, please try again.
> >
> >
> > Same if I trying to use just password.
> >
> > On ipa server in krb5kdc.log I see:
> >
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> > mydomain@mydomain.com, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> > mydomain@mydomain.com, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
> > ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime
> 1494946853,
> > t...@mydomain.com for host/ipa-client.mydomain@mydomain.com,
> Required
> > auth indicators not present in ticket: otp
>
> The otp authentication indicator is missing in the Kerberos ticket of
> the user. I assume that the ticket was requested only with the password.
> Please see above what might be missing.
>
> HTH
>
> bye,
> Sumit
>
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17
> 16
> > 23 25 26})

Re: [Freeipa-users] Password and OTP auth

2017-05-17 Thread Sumit Bose

On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:
> Thanks, but I think I have a problem.
> 
> I have test user:
> 
> [root@ipa-centos]# ipa user-show test
>   User login: test
>   First name: test
>   Last name: test
>   Home directory: /home/test
>   Login shell: /bin/sh
>   Principal name: t...@mydomain.com
>   Principal alias: t...@mydomain.com
>   Email address: t...@mydomain.com
>   UID: 15221
>   GID: 15221

As mentioned in the other thread there should be a listing of user auth
types here. Please try

ipa user-mod test --user-auth-type=password --user-auth-type=otp

to allow both password and 2-factor/otp authentication.

>   Account disabled: False
>   Password: True
>   Member of groups: trust admins, ipausers, admins
>   Kerberos keys available: True
> 
> 
> And test host:
> 
> [root@ipa-centos]# ipa host-show ipa-client.mydomain.com
>   Host name: ipa-client.mydomain.com
>   Principal name: host/ipa-client.mydomain@mydomain.com
>   Principal alias: host/ipa-client.mydomain@mydomain.com
>   SSH public key fingerprint: %SOME FINGERPRINTS%
>   Authentication Indicators: otp
>   Password: False
>   Keytab: True
>   Managed by: ipa-client.mydomain.com
> 
> 
> When I trying to login to ipa-client.mydomain.com with password+otptoken I
> have error:
> 
> [mynotebook]$ ssh t...@ipa-client.mydomain.com
> t...@ipa-client.mydomain.com's password:

Please check if ChallengeResponseAuthentication is enabled in
/etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it
by setting 'ChallengeResponseAuthentication yes'.
> Permission denied, please try again.
> 
> 
> Same if I trying to use just password.
> 
> On ipa server in krb5kdc.log I see:
> 
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> mydomain@mydomain.com, Additional pre-authentication required
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> mydomain@mydomain.com, Additional pre-authentication required
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
> ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
> t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
> auth indicators not present in ticket: otp

The otp authentication indicator is missing in the Kerberos ticket of
the user. I assume that the ticket was requested only with the password.
Please see above what might be missing.

HTH

bye,
Sumit

> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
> 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
> t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
> auth indicators not present in ticket: otp
> May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> 
> What's wrong?
> 
> 2017-05-16 17:16 GMT+03:00 Sumit Bose :
> 
> > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > > Hello all.
> > >
> > > tell me please. Is it possible to use password and otp auth at the one
> > > moment?
> > >
> > > For example I have DEV/STAGE servers and want to be able use password
> > auth
> > > for ssh, but for PROD servers I want to use OTP auth for same user.
> >
> > Authentication indicators can be used for this. If you add
> >
> > ipa host-mod --auth-ind=otp prod.server
> >
> > Only 2-factor authentication should be possible on prod.server. But
> > please note that e.g. ssh-key based authentication will still be
> > possible as well.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> 
> 
> 
> -- 
> С уважением Дудин Андрей

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password and OTP auth

2017-05-16 Thread Andrey Dudin

Thanks, but I think I have a problem.

I have test user:

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True


And test host:

[root@ipa-centos]# ipa host-show ipa-client.mydomain.com
  Host name: ipa-client.mydomain.com
  Principal name: host/ipa-client.mydomain@mydomain.com
  Principal alias: host/ipa-client.mydomain@mydomain.com
  SSH public key fingerprint: %SOME FINGERPRINTS%
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: ipa-client.mydomain.com


When I trying to login to ipa-client.mydomain.com with password+otptoken I
have error:

[mynotebook]$ ssh t...@ipa-client.mydomain.com
t...@ipa-client.mydomain.com's password:
Permission denied, please try again.


Same if I trying to use just password.

On ipa server in krb5kdc.log I see:

May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12

What's wrong?

2017-05-16 17:16 GMT+03:00 Sumit Bose :

> On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > Hello all.
> >
> > tell me please. Is it possible to use password and otp auth at the one
> > moment?
> >
> > For example I have DEV/STAGE servers and want to be able use password
> auth
> > for ssh, but for PROD servers I want to use OTP auth for same user.
>
> Authentication indicators can be used for this. If you add
>
> ipa host-mod --auth-ind=otp prod.server
>
> Only 2-factor authentication should be possible on prod.server. But
> please note that e.g. ssh-key based authentication will still be
> possible as well.
>
> HTH
>
> bye,
> Sumit
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
С уважением Дудин Андрей
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password and OTP auth

2017-05-16 Thread Sumit Bose

On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> Hello all.
> 
> tell me please. Is it possible to use password and otp auth at the one
> moment?
> 
> For example I have DEV/STAGE servers and want to be able use password auth
> for ssh, but for PROD servers I want to use OTP auth for same user.

Authentication indicators can be used for this. If you add

ipa host-mod --auth-ind=otp prod.server

Only 2-factor authentication should be possible on prod.server. But
please note that e.g. ssh-key based authentication will still be
possible as well.

HTH

bye,
Sumit

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Password and OTP auth

2017-05-16 Thread Andrey Dudin

Hello all.

tell me please. Is it possible to use password and otp auth at the one
moment?

For example I have DEV/STAGE servers and want to be able use password auth
for ssh, but for PROD servers I want to use OTP auth for same user.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password and OTP auth

Re: [Freeipa-users] Password and OTP auth

Re: [Freeipa-users] Password and OTP auth

Re: [Freeipa-users] Password and OTP auth

[Freeipa-users] Password and OTP auth

5 matches

Site Navigation

Mail list logo

Footer information