Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Alexander Bokovoy

On Mon, 18 May 2015, Nathaniel McCallum wrote:

On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote:

On Mon, 18 May 2015, Janelle wrote:
 On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
  On Sun, 10 May 2015, Janelle wrote:
   On 5/5/15 6:47 AM, Dmitri Pal wrote:
On 05/04/2015 09:38 PM, Janelle wrote:
 On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
  On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
   Happy Star Wars Day!
   May the Fourth be with you!
  
   So I have a strange Kerberos problem trying to figure
   out. On a
   CLIENT,  (CentOS 7.1) if I login to account usera
   they get a
   ticket as
   expected.  However, if I login to a 6.6 client, it
   doesn't seem to
   work.
   Both were enrolled the same, obviously one is newer.
  
   Now, it gets stranger. The servers are CentOS 7.1
   also. If I login
   as
   root, bypassing kerberos, and then do kinit admin it
   works just
   fine.
   But if I do kinit usera I get:
  
   kinit: Generic preauthentication failure while getting
   initial
   credentials
  
   Which makes no sense. The account works with a 7.1
   client but not a
   6.x
   client?? And yet admin works, no matter what. What am
   I missing
   here?
  If I had to guess, usera is enabled for OTP-only login.
  Is that
  correct?
 
  If so, clients require RHEL 7.1 for OTP support. Also,
  the error you
  are getting is the result of not enabling FAST support
  for OTP
  authentication (see the -T option).
 
  Nathaniel
 Ok, this did give me an idea (Thanks Nathaniel)  -- the
 account was set for BOTH password and OTP.
 Apparently setting both does nothing. Yes a user can login
 with their password-only, but trying to use kinit does not
 work.

 I am not sure I understand where the FAST support or the -T

 option is to be applied. On kinit? That does not seem
 correct.
 Perhaps I am misunderstanding this option?

 ~J

If the user is enabled for OTP his credential are sent
differently than in the case when it is not enabled.
Effectively
instead of using encrypted timestamp the password and OTP are
   
sent to the server as data. But they can't be sent in clear.
You
need to encrypt the data. To encrypt it you need another key
-
the host key. The encryption of the data in this context is
called tunneling . FAST is the Kerberos protocol feature to
provide tunneling of the data sent over the wire. To use FAST
   
one needs to use -T on the kinit command line.
Does this help?
   
   It helps -- thank you.
  
   Now allow me to add a little more fun, and there may not be a
   solution.
From OS X (Yosemite) I am able to kinit --kdc-hostname=IPA
-server
   principal and it works, gives me a ticket, and if I attempt to
  
   login to the web interface, since I already have my ticket -
   boom,
   works fine.
  
   Now, I enable 2FA and setup a token and change my account to
   OTP
   (with TOTP).  But as previously discussed, can't seem to
   specify a
   -T option from OS X.
  
   I know this sounds tricky -- Any ideas?
  Use
  kinit --fast-armor-cache /path/to/ccache to specify already
  existing ccache to armor the FAST processing.
 
  This is Heimdal-specific, and you should have Heimdal 1.6rc2 at
  least.
  You can check version number by running 'kinit --version'.
 Aha, so thee default on OS X Yosemite is

 $ kinit --version
 kinit (Heimdal 1.5.1apple1)

 so this won't work?
Yes, you have to have the feature in your Kerberos library.


Browsing the Heimdal source code, I don't even see any support for OTP
at all. :(

The support is since 1.6rc2, it uses the Richards' draft
(draft-richards-otp-kerberos-01.txt) as a base and handles preauth but I
don't think anything but login and ftpd supports passing the OTP token.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle
Ok, let me ask this a different way, because maybe there is a way, and I am 
just not seeing it.

I have 2 datacenters with typical bastions in each. I have enabled OTP and that 
works fine via ssh. But the user has to login to both and opening ssh tunnels 
is problematic at best.

Using all the creativity in this list, maybe someone knows of another way to 
have a user authenticate from a Mac where they would only have to do it once to 
get their ticket?

I guess I can't think of anything, but no harm in asking.

:)
~J

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Nathaniel McCallum
On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote:
 Ok, let me ask this a different way, because maybe there is a way, 
 and I am just not seeing it.
 
 I have 2 datacenters with typical bastions in each. I have enabled 
 OTP and that works fine via ssh. But the user has to login to both 
 and opening ssh tunnels is problematic at best.
 
 Using all the creativity in this list, maybe someone knows of another 
 way to have a user authenticate from a Mac where they would only have 
 to do it once to get their ticket?
 
 I guess I can't think of anything, but no harm in asking.

Without support for the OTP pre-authentication mechanism, I don't know
of any way to do this while still retaining the security properties of
Kerberos. Basically, you'll have to hand over your password to a third
party (which has OTP support). This is ill advised.

Nathaniel

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Nathaniel McCallum
On Mon, 2015-05-18 at 17:18 +0300, Alexander Bokovoy wrote:
 On Mon, 18 May 2015, Nathaniel McCallum wrote:
  On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote:
   On Mon, 18 May 2015, Janelle wrote:
On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
 On Sun, 10 May 2015, Janelle wrote:
  On 5/5/15 6:47 AM, Dmitri Pal wrote:
   On 05/04/2015 09:38 PM, Janelle wrote:
On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
 On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
  Happy Star Wars Day!
  May the Fourth be with you!
  
  So I have a strange Kerberos problem trying to 
  figure
  out. On a
  CLIENT,  (CentOS 7.1) if I login to account usera
  they get a
  ticket as
  expected.  However, if I login to a 6.6 client, it
  doesn't seem to
  work.
  Both were enrolled the same, obviously one is 
  newer.
  
  Now, it gets stranger. The servers are CentOS 7.1
  also. If I login
  as
  root, bypassing kerberos, and then do kinit admin 
  it
  works just
  fine.
  But if I do kinit usera I get:
  
  kinit: Generic preauthentication failure while 
  getting
  initial
  credentials
  
  Which makes no sense. The account works with a 7.1
  client but not a
  6.x
  client?? And yet admin works, no matter what. 
  What am
  I missing
  here?
 If I had to guess, usera is enabled for OTP-only 
 login.
 Is that
 correct?
 
 If so, clients require RHEL 7.1 for OTP support. 
 Also,
 the error you
 are getting is the result of not enabling FAST 
 support
 for OTP
 authentication (see the -T option).
 
 Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the
account was set for BOTH password and OTP.
Apparently setting both does nothing. Yes a user can 
login
with their password-only, but trying to use kinit does 
not
work.

I am not sure I understand where the FAST support or 
the -T

option is to be applied. On kinit? That does not seem
correct.
Perhaps I am misunderstanding this option?

~J

   If the user is enabled for OTP his credential are sent
   differently than in the case when it is not enabled.
   Effectively
   instead of using encrypted timestamp the password and OTP 
   are
   
   sent to the server as data. But they can't be sent in 
   clear.
   You
   need to encrypt the data. To encrypt it you need another 
   key
   -
   the host key. The encryption of the data in this context 
   is
   called tunneling . FAST is the Kerberos protocol feature 
   to
   provide tunneling of the data sent over the wire. To use 
   FAST
   
   one needs to use -T on the kinit command line.
   Does this help?
   
  It helps -- thank you.
  
  Now allow me to add a little more fun, and there may not be 
  a
  solution.
   From OS X (Yosemite) I am able to kinit --kdc
   -hostname=IPA
   -server
  principal and it works, gives me a ticket, and if I 
  attempt to
  
  login to the web interface, since I already have my ticket 
  -
  boom,
  works fine.
  
  Now, I enable 2FA and setup a token and change my account 
  to
  OTP
  (with TOTP).  But as previously discussed, can't seem to
  specify a
  -T option from OS X.
  
  I know this sounds tricky -- Any ideas?
 Use
 kinit --fast-armor-cache /path/to/ccache to specify already
 existing ccache to armor the FAST processing.
 
 This is Heimdal-specific, and you should have Heimdal 1.6rc2 
 at
 least.
 You can check version number by running 'kinit --version'.
Aha, so thee default on OS X Yosemite is

$ kinit --version
kinit (Heimdal 1.5.1apple1)

so this won't work?
   Yes, you have to have the feature in your Kerberos library.
  
  Browsing the Heimdal source code, I don't even see any support for 
  OTP
  at all. :(
 The support is since 1.6rc2, it uses the Richards' draft
 (draft-richards-otp-kerberos-01.txt) as a base and handles preauth 
 but I
 don't think anything but login and ftpd supports passing the OTP 
 token.

Where is the code? I don't see any...

Nathaniel

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Alexander Bokovoy

On Mon, 18 May 2015, Nathaniel McCallum wrote:

On Mon, 2015-05-18 at 17:18 +0300, Alexander Bokovoy wrote:

On Mon, 18 May 2015, Nathaniel McCallum wrote:
 On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote:
  On Mon, 18 May 2015, Janelle wrote:
   On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
On Sun, 10 May 2015, Janelle wrote:
 On 5/5/15 6:47 AM, Dmitri Pal wrote:
  On 05/04/2015 09:38 PM, Janelle wrote:
   On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
 Happy Star Wars Day!
 May the Fourth be with you!

 So I have a strange Kerberos problem trying to
 figure
 out. On a
 CLIENT,  (CentOS 7.1) if I login to account usera
 they get a
 ticket as
 expected.  However, if I login to a 6.6 client, it
 doesn't seem to
 work.
 Both were enrolled the same, obviously one is
 newer.

 Now, it gets stranger. The servers are CentOS 7.1
 also. If I login
 as
 root, bypassing kerberos, and then do kinit admin
 it
 works just
 fine.
 But if I do kinit usera I get:

 kinit: Generic preauthentication failure while
 getting
 initial
 credentials

 Which makes no sense. The account works with a 7.1
 client but not a
 6.x
 client?? And yet admin works, no matter what.
 What am
 I missing
 here?
If I had to guess, usera is enabled for OTP-only
login.
Is that
correct?
   
If so, clients require RHEL 7.1 for OTP support.
Also,
the error you
are getting is the result of not enabling FAST
support
for OTP
authentication (see the -T option).
   
Nathaniel
   Ok, this did give me an idea (Thanks Nathaniel)  -- the
   account was set for BOTH password and OTP.
   Apparently setting both does nothing. Yes a user can
   login
   with their password-only, but trying to use kinit does
   not
   work.
  
   I am not sure I understand where the FAST support or
   the -T
  
   option is to be applied. On kinit? That does not seem
   correct.
   Perhaps I am misunderstanding this option?
  
   ~J
  
  If the user is enabled for OTP his credential are sent
  differently than in the case when it is not enabled.
  Effectively
  instead of using encrypted timestamp the password and OTP
  are
 
  sent to the server as data. But they can't be sent in
  clear.
  You
  need to encrypt the data. To encrypt it you need another
  key
  -
  the host key. The encryption of the data in this context
  is
  called tunneling . FAST is the Kerberos protocol feature
  to
  provide tunneling of the data sent over the wire. To use
  FAST
 
  one needs to use -T on the kinit command line.
  Does this help?
 
 It helps -- thank you.

 Now allow me to add a little more fun, and there may not be
 a
 solution.
  From OS X (Yosemite) I am able to kinit --kdc
  -hostname=IPA
  -server
 principal and it works, gives me a ticket, and if I
 attempt to

 login to the web interface, since I already have my ticket
 -
 boom,
 works fine.

 Now, I enable 2FA and setup a token and change my account
 to
 OTP
 (with TOTP).  But as previously discussed, can't seem to
 specify a
 -T option from OS X.

 I know this sounds tricky -- Any ideas?
Use
kinit --fast-armor-cache /path/to/ccache to specify already
existing ccache to armor the FAST processing.
   
This is Heimdal-specific, and you should have Heimdal 1.6rc2
at
least.
You can check version number by running 'kinit --version'.
   Aha, so thee default on OS X Yosemite is
  
   $ kinit --version
   kinit (Heimdal 1.5.1apple1)
  
   so this won't work?
  Yes, you have to have the feature in your Kerberos library.

 Browsing the Heimdal source code, I don't even see any support for
 OTP
 at all. :(
The support is since 1.6rc2, it uses the Richards' draft
(draft-richards-otp-kerberos-01.txt) as a base and handles preauth
but I
don't think anything but login and ftpd supports passing the OTP
token.


Where is the code? I don't see any...

Yes, you made me realize this is pre-richards code in lib/otp/.

Janelle: no support for Kerberos OTP on Mac OS X Yosemite or any other
Heimdal environment to date.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Alexander Bokovoy

On Mon, 18 May 2015, Janelle wrote:

On 5/10/15 11:57 PM, Alexander Bokovoy wrote:

On Sun, 10 May 2015, Janelle wrote:

On 5/5/15 6:47 AM, Dmitri Pal wrote:

On 05/04/2015 09:38 PM, Janelle wrote:

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out. On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the 
account was set for BOTH password and OTP.
Apparently setting both does nothing. Yes a user can login 
with their password-only, but trying to use kinit does not 
work.


I am not sure I understand where the FAST support or the -T 
option is to be applied. On kinit? That does not seem correct. 
Perhaps I am misunderstanding this option?


~J

If the user is enabled for OTP his credential are sent 
differently than in the case when it is not enabled. Effectively 
instead of using encrypted timestamp the password and OTP are 
sent to the server as data. But they can't be sent in clear. You 
need to encrypt the data. To encrypt it you need another key - 
the host key. The encryption of the data in this context is 
called tunneling . FAST is the Kerberos protocol feature to 
provide tunneling of the data sent over the wire. To use FAST 
one needs to use -T on the kinit command line.

Does this help?


It helps -- thank you.

Now allow me to add a little more fun, and there may not be a solution.

From OS X (Yosemite) I am able to kinit --kdc-hostname=IPA-server
principal and it works, gives me a ticket, and if I attempt to 
login to the web interface, since I already have my ticket - boom, 
works fine.


Now, I enable 2FA and setup a token and change my account to OTP 
(with TOTP).  But as previously discussed, can't seem to specify a 
-T option from OS X.


I know this sounds tricky -- Any ideas?

Use
kinit --fast-armor-cache /path/to/ccache to specify already 
existing ccache to armor the FAST processing.


This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
You can check version number by running 'kinit --version'.

Aha, so thee default on OS X Yosemite is

$ kinit --version
kinit (Heimdal 1.5.1apple1)

so this won't work?

Yes, you have to have the feature in your Kerberos library.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Nathaniel McCallum
On Mon, 2015-05-18 at 17:03 +0300, Alexander Bokovoy wrote:
 On Mon, 18 May 2015, Janelle wrote:
  On 5/10/15 11:57 PM, Alexander Bokovoy wrote:
   On Sun, 10 May 2015, Janelle wrote:
On 5/5/15 6:47 AM, Dmitri Pal wrote:
 On 05/04/2015 09:38 PM, Janelle wrote:
  On 5/4/15 6:06 PM, Nathaniel McCallum wrote:
   On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure 
out. On a
CLIENT,  (CentOS 7.1) if I login to account usera 
they get a
ticket as
expected.  However, if I login to a 6.6 client, it 
doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 
also. If I login
as
root, bypassing kerberos, and then do kinit admin it 
works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting 
initial
credentials

Which makes no sense. The account works with a 7.1 
client but not a
6.x
client?? And yet admin works, no matter what. What am 
I missing
here?
   If I had to guess, usera is enabled for OTP-only login. 
   Is that
   correct?
   
   If so, clients require RHEL 7.1 for OTP support. Also, 
   the error you
   are getting is the result of not enabling FAST support 
   for OTP
   authentication (see the -T option).
   
   Nathaniel
  Ok, this did give me an idea (Thanks Nathaniel)  -- the 
  account was set for BOTH password and OTP.
  Apparently setting both does nothing. Yes a user can login 
  with their password-only, but trying to use kinit does not 
  work.
  
  I am not sure I understand where the FAST support or the -T 
  
  option is to be applied. On kinit? That does not seem 
  correct. 
  Perhaps I am misunderstanding this option?
  
  ~J
  
 If the user is enabled for OTP his credential are sent 
 differently than in the case when it is not enabled. 
 Effectively 
 instead of using encrypted timestamp the password and OTP are 
 
 sent to the server as data. But they can't be sent in clear. 
 You 
 need to encrypt the data. To encrypt it you need another key 
 - 
 the host key. The encryption of the data in this context is 
 called tunneling . FAST is the Kerberos protocol feature to 
 provide tunneling of the data sent over the wire. To use FAST 
 
 one needs to use -T on the kinit command line.
 Does this help?
 
It helps -- thank you.

Now allow me to add a little more fun, and there may not be a 
solution.
 From OS X (Yosemite) I am able to kinit --kdc-hostname=IPA
 -server
principal and it works, gives me a ticket, and if I attempt to 

login to the web interface, since I already have my ticket - 
boom, 
works fine.

Now, I enable 2FA and setup a token and change my account to 
OTP 
(with TOTP).  But as previously discussed, can't seem to 
specify a 
-T option from OS X.

I know this sounds tricky -- Any ideas?
   Use
   kinit --fast-armor-cache /path/to/ccache to specify already 
   existing ccache to armor the FAST processing.
   
   This is Heimdal-specific, and you should have Heimdal 1.6rc2 at 
   least.
   You can check version number by running 'kinit --version'.
  Aha, so thee default on OS X Yosemite is
  
  $ kinit --version
  kinit (Heimdal 1.5.1apple1)
  
  so this won't work?
 Yes, you have to have the feature in your Kerberos library.

Browsing the Heimdal source code, I don't even see any support for OTP
at all. :(

Nathaniel

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle

On 5/10/15 11:57 PM, Alexander Bokovoy wrote:

On Sun, 10 May 2015, Janelle wrote:

On 5/5/15 6:47 AM, Dmitri Pal wrote:

On 05/04/2015 09:38 PM, Janelle wrote:

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out. On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the account was 
set for BOTH password and OTP.
Apparently setting both does nothing. Yes a user can login with 
their password-only, but trying to use kinit does not work.


I am not sure I understand where the FAST support or the -T option 
is to be applied. On kinit? That does not seem correct. Perhaps I 
am misunderstanding this option?


~J

If the user is enabled for OTP his credential are sent differently 
than in the case when it is not enabled. Effectively instead of 
using encrypted timestamp the password and OTP are sent to the 
server as data. But they can't be sent in clear. You need to encrypt 
the data. To encrypt it you need another key - the host key. The 
encryption of the data in this context is called tunneling . FAST is 
the Kerberos protocol feature to provide tunneling of the data sent 
over the wire. To use FAST one needs to use -T on the kinit command 
line.

Does this help?


It helps -- thank you.

Now allow me to add a little more fun, and there may not be a solution.

From OS X (Yosemite) I am able to kinit --kdc-hostname=IPA-server
principal and it works, gives me a ticket, and if I attempt to login 
to the web interface, since I already have my ticket - boom, works fine.


Now, I enable 2FA and setup a token and change my account to OTP 
(with TOTP).  But as previously discussed, can't seem to specify a -T 
option from OS X.


I know this sounds tricky -- Any ideas?

Use
 kinit --fast-armor-cache /path/to/ccache to specify already existing 
ccache to armor the FAST processing.


This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
You can check version number by running 'kinit --version'.

Aha, so thee default on OS X Yosemite is

$ kinit --version
kinit (Heimdal 1.5.1apple1)

so this won't work?

~J

PS - sorry for the questions, still trying to wrap my head around how to 
get OTP working from a term session so you can get your ticket and then 
login to all the hosts you need without reauthenticating.


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle

 On May 18, 2015, at 09:47, Nathaniel McCallum npmccal...@redhat.com wrote:
 
 On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote:
 Ok, let me ask this a different way, because maybe there is a way, 
 and I am just not seeing it.
 
 I have 2 datacenters with typical bastions in each. I have enabled 
 OTP and that works fine via ssh. But the user has to login to both 
 and opening ssh tunnels is problematic at best.
 
 Using all the creativity in this list, maybe someone knows of another 
 way to have a user authenticate from a Mac where they would only have 
 to do it once to get their ticket?
 
 I guess I can't think of anything, but no harm in asking.
 
 Without support for the OTP pre-authentication mechanism, I don't know
 of any way to do this while still retaining the security properties of
 Kerberos. Basically, you'll have to hand over your password to a third
 party (which has OTP support). This is ill advised.
 
 Nathaniel

Excellent point.  Thanks for all the tips and advice. 
And of course for a great product that continues to get better.

~J

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-18 Thread Janelle

On 5/18/15 7:47 AM, Nathaniel McCallum wrote:

On Mon, 2015-05-18 at 09:45 -0500, Janelle wrote:

Ok, let me ask this a different way, because maybe there is a way,
and I am just not seeing it.

I have 2 datacenters with typical bastions in each. I have enabled
OTP and that works fine via ssh. But the user has to login to both
and opening ssh tunnels is problematic at best.

Using all the creativity in this list, maybe someone knows of another
way to have a user authenticate from a Mac where they would only have
to do it once to get their ticket?

I guess I can't think of anything, but no harm in asking.

Without support for the OTP pre-authentication mechanism, I don't know
of any way to do this while still retaining the security properties of
Kerberos. Basically, you'll have to hand over your password to a third
party (which has OTP support). This is ill advised.

Nathaniel
Going to see about installing MIT version from source on  Yosemite and 
see what happens.. Current is 1.13.2


Will let you know
~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-11 Thread Alexander Bokovoy

On Sun, 10 May 2015, Janelle wrote:

On 5/5/15 6:47 AM, Dmitri Pal wrote:

On 05/04/2015 09:38 PM, Janelle wrote:

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out. On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the account 
was set for BOTH password and OTP.
Apparently setting both does nothing. Yes a user can login with 
their password-only, but trying to use kinit does not work.


I am not sure I understand where the FAST support or the -T option 
is to be applied. On kinit? That does not seem correct. Perhaps I 
am misunderstanding this option?


~J

If the user is enabled for OTP his credential are sent differently 
than in the case when it is not enabled. Effectively instead of 
using encrypted timestamp the password and OTP are sent to the 
server as data. But they can't be sent in clear. You need to encrypt 
the data. To encrypt it you need another key - the host key. The 
encryption of the data in this context is called tunneling . FAST is 
the Kerberos protocol feature to provide tunneling of the data sent 
over the wire. To use FAST one needs to use -T on the kinit command 
line.

Does this help?


It helps -- thank you.

Now allow me to add a little more fun, and there may not be a 
solution.

From OS X (Yosemite) I am able to kinit --kdc-hostname=IPA-server
principal and it works, gives me a ticket, and if I attempt to login 
to the web interface, since I already have my ticket - boom, works 
fine.


Now, I enable 2FA and setup a token and change my account to OTP (with 
TOTP).  But as previously discussed, can't seem to specify a -T option 
from OS X.


I know this sounds tricky -- Any ideas?

Use
 kinit --fast-armor-cache /path/to/ccache 
to specify already existing ccache to armor the FAST processing.


This is Heimdal-specific, and you should have Heimdal 1.6rc2 at least.
You can check version number by running 'kinit --version'.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-10 Thread Janelle

On 5/5/15 6:47 AM, Dmitri Pal wrote:

On 05/04/2015 09:38 PM, Janelle wrote:

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out. On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the account was 
set for BOTH password and OTP.
Apparently setting both does nothing. Yes a user can login with their 
password-only, but trying to use kinit does not work.


I am not sure I understand where the FAST support or the -T option is 
to be applied. On kinit? That does not seem correct. Perhaps I am 
misunderstanding this option?


~J

If the user is enabled for OTP his credential are sent differently 
than in the case when it is not enabled. Effectively instead of using 
encrypted timestamp the password and OTP are sent to the server as 
data. But they can't be sent in clear. You need to encrypt the data. 
To encrypt it you need another key - the host key. The encryption of 
the data in this context is called tunneling . FAST is the Kerberos 
protocol feature to provide tunneling of the data sent over the wire. 
To use FAST one needs to use -T on the kinit command line.

Does this help?


It helps -- thank you.

Now allow me to add a little more fun, and there may not be a solution.  
From OS X (Yosemite) I am able to kinit --kdc-hostname=IPA-server 
principal and it works, gives me a ticket, and if I attempt to login to 
the web interface, since I already have my ticket - boom, works fine.


Now, I enable 2FA and setup a token and change my account to OTP (with 
TOTP).  But as previously discussed, can't seem to specify a -T option 
from OS X.


I know this sounds tricky -- Any ideas?

Thank you
Janelle

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-05 Thread Dmitri Pal

On 05/04/2015 09:38 PM, Janelle wrote:

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out.  On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the account was 
set for BOTH password and OTP.
Apparently setting both does nothing. Yes a user can login with their 
password-only, but trying to use kinit does not work.


I am not sure I understand where the FAST support or the -T option is 
to be applied. On kinit? That does not seem correct. Perhaps I am 
misunderstanding this option?


~J

If the user is enabled for OTP his credential are sent differently than 
in the case when it is not enabled. Effectively instead of using 
encrypted timestamp the password and OTP are sent to the server as data. 
But they can't be sent in clear. You need to encrypt the data. To 
encrypt it you need another key - the host key. The encryption of the 
data in this context is called tunneling . FAST is the Kerberos protocol 
feature to provide tunneling of the data sent over the wire. To use FAST 
one needs to use -T on the kinit command line.

Does this help?

--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-04 Thread Dmitri Pal

On 05/04/2015 11:49 AM, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out.  On a 
CLIENT,  (CentOS 7.1) if I login to account usera they get a ticket 
as expected.  However, if I login to a 6.6 client, it doesn't seem to 
work. Both were enrolled the same, obviously one is newer.


Now, it gets stranger. The servers are CentOS 7.1 also. If I login 
as root, bypassing kerberos, and then do kinit admin it works just 
fine. But if I do kinit usera I get:


kinit: Generic preauthentication failure while getting initial 
credentials


Which makes no sense. The account works with a 7.1 client but not a 
6.x client?? And yet admin works, no matter what. What am I missing 
here?


~J

This is really strange. What does happen on the server when you try 
kinit usera? Have you checked the KDC log?
Look at the usera entry, may be there is some strange attribute there 
that causes this failure. Compare with admin entry. May be it will shed 
some light.


--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-04 Thread Nathaniel McCallum
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
 Happy Star Wars Day!
 May the Fourth be with you!
 
 So I have a strange Kerberos problem trying to figure out.  On a 
 CLIENT,  (CentOS 7.1) if I login to account usera they get a 
 ticket as 
 expected.  However, if I login to a 6.6 client, it doesn't seem to 
 work. 
 Both were enrolled the same, obviously one is newer.
 
 Now, it gets stranger. The servers are CentOS 7.1 also. If I login 
 as 
 root, bypassing kerberos, and then do kinit admin it works just 
 fine. 
 But if I do kinit usera I get:
 
 kinit: Generic preauthentication failure while getting initial 
 credentials
 
 Which makes no sense. The account works with a 7.1 client but not a 
 6.x 
 client?? And yet admin works, no matter what. What am I missing 
 here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-04 Thread Janelle

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out.  On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Ok, this did give me an idea (Thanks Nathaniel)  -- the account was set 
for BOTH password and OTP.
Apparently setting both does nothing. Yes a user can login with their 
password-only, but trying to use kinit does not work.


I am not sure I understand where the FAST support or the -T option is to 
be applied. On kinit? That does not seem correct. Perhaps I am 
misunderstanding this option?


~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-04 Thread Dmitri Pal

On 05/04/2015 09:22 PM, Janelle wrote:

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out.  On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Apparently I am not being clear. The user account can login all over 
the place with no problems -- RHEL 7.1 or 6.6.  HOWEVER, on 7.1, a 
login provides a direct tgt, but no matter what you do on any other 
host using kinit (after logging in with an SSH key perhaps or as 
another user) and even know the password, you get this error.


Again, logging in with the password, not OTP, works just fine.

Confusing,
~J


Do you get any SELinux AVCs?
May be it is an issue of the ticket cache permissions/labels?

--
Thank you,
Dmitri Pal

Director of Engineering for IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-04 Thread Simo Sorce
On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:
 Happy Star Wars Day!
 May the Fourth be with you!
 
 So I have a strange Kerberos problem trying to figure out.  On a 
 CLIENT,  (CentOS 7.1) if I login to account usera they get a ticket as 
 expected.  However, if I login to a 6.6 client, it doesn't seem to work. 
 Both were enrolled the same, obviously one is newer.
 
 Now, it gets stranger. The servers are CentOS 7.1 also. If I login as 
 root, bypassing kerberos, and then do kinit admin it works just fine. 
 But if I do kinit usera I get:
 
 kinit: Generic preauthentication failure while getting initial credentials
 
 Which makes no sense. The account works with a 7.1 client but not a 6.x 
 client?? And yet admin works, no matter what. What am I missing here?

Have you recently changed the user password ?
If so this symptom may indicate you are having replication issues
between your servers, and one of the client is hitting the server that
didn't get the keys replicated to it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-04 Thread Janelle



On 5/4/15 1:02 PM, Simo Sorce wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out.  On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login as
root, bypassing kerberos, and then do kinit admin it works just fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial credentials

Which makes no sense. The account works with a 7.1 client but not a 6.x
client?? And yet admin works, no matter what. What am I missing here?

Have you recently changed the user password ?
If so this symptom may indicate you are having replication issues
between your servers, and one of the client is hitting the server that
didn't get the keys replicated to it.

Simo.

None of the above -- All the servers are replicated. The user account (a 
test account) has not changed PW in weeks and works everywhere else.  I 
nee to increase some logging. I guess the strange  part is as mentioned 
-- it works if you login directly to the 7.1 client, no matter which 
server it is pointed at.


~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] interesting Kerberos issue

2015-05-04 Thread Janelle

On 5/4/15 6:06 PM, Nathaniel McCallum wrote:

On Mon, 2015-05-04 at 08:49 -0700, Janelle wrote:

Happy Star Wars Day!
May the Fourth be with you!

So I have a strange Kerberos problem trying to figure out.  On a
CLIENT,  (CentOS 7.1) if I login to account usera they get a
ticket as
expected.  However, if I login to a 6.6 client, it doesn't seem to
work.
Both were enrolled the same, obviously one is newer.

Now, it gets stranger. The servers are CentOS 7.1 also. If I login
as
root, bypassing kerberos, and then do kinit admin it works just
fine.
But if I do kinit usera I get:

kinit: Generic preauthentication failure while getting initial
credentials

Which makes no sense. The account works with a 7.1 client but not a
6.x
client?? And yet admin works, no matter what. What am I missing
here?

If I had to guess, usera is enabled for OTP-only login. Is that
correct?

If so, clients require RHEL 7.1 for OTP support. Also, the error you
are getting is the result of not enabling FAST support for OTP
authentication (see the -T option).

Nathaniel
Apparently I am not being clear. The user account can login all over the 
place with no problems -- RHEL 7.1 or 6.6.  HOWEVER, on 7.1, a login 
provides a direct tgt, but no matter what you do on any other host using 
kinit (after logging in with an SSH key perhaps or as another user) and 
even know the password, you get this error.


Again, logging in with the password, not OTP, works just fine.

Confusing,
~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project