[SSSD-users] Re: fast tunnel and authentication indicator

Tue, 22 Dec 2020 08:46:12 -0800 

On Tue, Dec 22, 2020 at 01:40:14PM +0100, Abdelkader Chelouah wrote:
> Le 22/12/2020 à 07:52, Sumit Bose a écrit :
> > On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
> > > Hello,
> > > 
> > > 
> > > I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication
> > > indicator "*strong*".
> > > 
> > > $ cat kdc.conf
> > > 
> > > ...
> > > 
> > > [otp]
> > >         softid = {
> > >                 server = 
> > > 192.168.0.68:1812
> > >                 secret = 
> > > /etc/.radius.secret
> > >                 strip_realm 
> > > = true
> > >                 indicator = 
> > > strong
> > >                 #timeout = 
> > > <integer> (default: 5 [seconds])
> > >                 #retries = 
> > > <integer> (default: 3)
> > >         }
> > > 
> > > 
> > > The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and
> > > *bob.*
> > > 
> > > 
> > > $ kadmin.local getstrs alice
> > > otp: [{"type":"softid"}]
> > > 
> > > $ kadmin.local getstrs bob
> > > otp: [{"type":"softid"}
> > > 
> > > 
> > > Alice's password was purged with the command
> > > 
> > > 
> > > kadmin.local purgekeys -all alice
> > > 
> > > 
> > > On the sssd host (RHEL 7.9), sssd service uses the following configuration
> > > file
> > > 
> > > 
> > > [sssd]
> > > domains = DNS.PODMAN
> > > services = nss,pam,ssh
> > > config_file_version = 2
> > > debug_level = 9
> > > 
> > > [nss]
> > > filter_users = root
> > > filter_groups = root
> > > reconnection_retries = 3
> > > entry_cache_nowait_percentage = 75
> > > debug_level = 9
> > > 
> > > [pam]
> > > reconnection_retries = 3
> > > offline_credentials_expiration = 2
> > > offline_failed_login_attempts = 3
> > > offline_failed_login_delay = 5
> > > 
> > > [domain/DNS.PODMAN]
> > > debug_level = 0x04000
> > > id_provider = ldap
> > > ldap_uri = ldaps://kerb.dns.podman:636/
> > > ldap_search_base = dc=dns,dc=podman
> > > ldap_schema = rfc2307bis
> > > ldap_tls_reqcert = demand
> > > ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
> > > 
> > > ldap_sasl_mech = gssapi
> > > ldap_sasl_authid = sssd/sssd.dns.podman
> > > ldap_krb5_keytab = /etc/sssd/sssd.keytab
> > > ldap_krb5_init_creds = true
> > > ldap_krb5_ticket_lifetime = 86400
> > > 
> > > ldap_user_search_base = ou=people,dc=dns,dc=podman
> > > ldap_user_object_class = posixAccount
> > > 
> > > ldap_group_search_base = ou=groups,dc=dns,dc=podman
> > > ldap_group_object_class = groupOfNames
> > > ldap_group_gid_number = gidNumber
> > > ldap_group_member = member
> > > 
> > > auth_provider = krb5
> > > krb5_server = kerb.dns.podman
> > > krb5_realm = DNS.PODMAN
> > > cache_credentials = true
> > > krb5_keytab = /etc/krb5.keytab
> > > krb5_use_fast = try
> > > krb5_fast_principal = host/sssd.dns.podman
> > > 
> > > min_id = 10000
> > > max_id = 20000
> > > #enumerate = False
> > > enumerate = True
> > > 
> > > [ssh]
> > > debug_level = 9
> > > 
> > > # klist -k /etc/krb5.keytab
> > > Keytab name: FILE:/etc/krb5.keytab
> > > KVNO Principal
> > > ----
> > > --------------------------------------------------------------------------
> > >    2 host/[email protected]
> > >    2 host/[email protected]
> > >    2 host/[email protected]
> > >    2 host/[email protected]
> > >    2 host/[email protected]
> > >    2 host/[email protected]
> > > 
> > > The service principal host/sssd.dns.podman is configured to require the
> > > "strong" authentication indicator value.
> > > 
> > > $ kadmin getstrs host/sssd.dns.podman
> > > require_auth: strong
> > > 
> > > 
> > > When ssh to the sssd host with *alice* account, authentication using otp 
> > > is
> > > working fine
> > > 
> > > [root@client /]# ssh alice@sssd
> > > alice@sssd's password: <otp value>
> > > Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman
> > > [alice@sssd ~]
> > > 
> > > 
> > > However, if I ssh to the sssd host with *bob* account, I can login with
> > > bob's password even if the service principal host/sssd.dns.podman is
> > > configured to require the "strong" authentication indicator value
> > > 
> > > [root@client /]# ssh bob@sssd
> > > bob@sssd's password: <bob's password>
> > > Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman
> > > [bob@sssd ~]$
> > > 
> > > 
> > > 1. Why password authentication for bob principal succeeded while
> > >     authentication indicator is "strong" ?
> > > 2. Is it possible to configure sssd to enforce "otp" authentication ?
> > Hi,
> > 
> > I think it should work as you expect it if you add
> > 
> >      krb5_validate = True
> > 
> > to the [domain/...] section of sssd.conf.
> > 
> > This option is needed because with the default Kerberos authentication
> > only user related operations are preformed. If FAST is left aside it is
> > only asking the KDC for a TGT for the user, the KDC at this point cannot
> > know for which service you would like to use it.
> > 
> > With 'krb5_validate = True' after getting the TGT for the user SSSD will
> > try to validate it by requesting a service ticket for the principal from
> > the keytab. At this point the KDC can check the requirements configured
> > for the host and reject a TGT which does not has the needed
> > authentication indicators. If the KDC rejects the request the ticket
> > validation and hence the authentication will fail.
> > 
> > HTH
> > 
> > bye,
> > Sumit
> > 
> > > _______________________________________________
> > > sssd-users mailing list -- [email protected]
> > > To unsubscribe send an email to [email protected]
> > > Fedora Code of Conduct: 
> > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives: 
> > > https://lists.fedorahosted.org/archives/list/[email protected]
> > _______________________________________________
> > sssd-users mailing list -- [email protected]
> > To unsubscribe send an email to [email protected]
> > Fedora Code of Conduct: 
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: 
> > https://lists.fedorahosted.org/archives/list/[email protected]
> 
> Hello Sumit,
> 
> 
> Thank you for you quick answer and the hint. Now with "krb5_validate =
> true", TGT obtained without the needed authentication indicator is rejected
> 
> [root@client shared]# ssh bob@sssd
> bob@sssd's password:
> Permission denied, please try again.
> 
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional
> pre-authentication required
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE:
> authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18),
> tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
> [email protected] for krbtgt/[email protected]
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
> {rep=UNSUPPORTED:(0)} [email protected] for host/[email protected],
> Required auth indicators not present in ticket: strong
> 
> Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
> {rep=UNSUPPORTED:(0)} [email protected] for host/[email protected],
> Required auth indicators not present in ticket: strong
> 
> However, I'm still not able to login using bob's *otp*
> 
> Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> NEEDED_PREAUTH: [email protected] for krbtgt/[email protected], Additional
> pre-authentication required
> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth
> (encrypted_challenge) verify failure: Incorrect password in encrypted
> challenge
> Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes
> {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
> aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
> DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
> camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
> PREAUTH_FAILED: [email protected] for krbtgt/[email protected], Incorrect
> password in encrypted challenge
> 
> 
> pre-authentication using password is prioritized.
> 
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000):
> Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not
> valid.
> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000):
> Recreating ccache
> (2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab]
> (0x4000): Trying to find principal host/[email protected] in
> keytab.
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892571: Getting initial credentials for [email protected]
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892572: FAST armor ccache:
> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892573: Retrieving host/[email protected] ->
> krb5_ccache_conf_data/fast_avail/krbtgt\/DNS.PODMAN\@DNS.PODMAN@X-CACHECONF:
> from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result:
> -1765328243/Matching credential not found
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892575: Getting credentials host/[email protected]
> -> krbtgt/[email protected] using ccache
> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892576: Retrieving host/[email protected] ->
> krbtgt/[email protected] from
> MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892579: Creating authenticator for
> host/[email protected] -> krbtgt/[email protected], seqnum 0,
> subkey aes256-cts/F61D, session key aes256-cts/3774
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892581: FAST armor key: aes256-cts/A391
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892583: Sending unauthenticated request
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892584: Encoding request body and padata into FAST request
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892587: Received answer (545 bytes) from dgram
> 10.89.0.16:88
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892588: Response was from master KDC
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892589: Received error from KDC: -1765328359/Additional
> pre-authentication required
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892590: Decoding FAST response
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892593: Preauthenticating using KDC method data
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16),
> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892595: Selected etype info: etype aes256-cts, salt
> "DNS.PODMANbob", params ""
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892596: Received cookie: MIT
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892597: PKINIT client has no configured identity; giving up
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
> question [otp].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
> question [password].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892598: Preauth module pkinit (147) (info) returned:
> 0/Success
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892599: PKINIT client has no configured identity; giving up
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892600: Preauth module pkinit (16) (real) returned:
> 22/Invalid argument
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
> sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
> Prompt [0][Enter OTP Token Value].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892601: Preauth module otp (141) (real) returned:
> -1765328254/Cannot read password
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892603: Preauth module encrypted_challenge (138) (real)
> returned: 0/Success
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE
> (133), PA-ENCRYPTED-CHALLENGE (138)
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892605: Encoding request body and padata into FAST request
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892608: Received answer (545 bytes) from dgram
> 10.89.0.16:88
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892609: Response was from master KDC
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892610: Received error from KDC:
> -1765328360/Preauthentication failed
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892611: Decoding FAST response
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892614: Preauthenticating using KDC method data
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16),
> PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
> (141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892616: Selected etype info: etype aes256-cts, salt
> "DNS.PODMANbob", params ""
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892617: Received cookie: MIT
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
> question [otp].
> (2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
> [277] 1608640257.892618: Preauth module pkinit (147) (info) returned:
> 0/Success
> 
> (2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response
> sent.
> 
> 
> Do you know if there is a way to tell sssd to enforce otp authentication
> when a fast channel is available ?
> 
> 
> I would like also to customize the prompt login for otp authentication.

Hi,

you are right, password base authentication is preferred. To change this
SSSD must figure out what authentication methods are available before
asking the user to enter the credentials.

To achieve this you can just try to call

    touch /var/lib/sss/pubconf/pam_preauth_available

and try to authenticate again.

More elegant and since you said you want to customize the prompting
anyways is to add something like

    [prompting/2fa]
    first_prompt = Please enter the first factor:
    second_prompt = Please enter the second factor:

to sssd.conf.

Please note, in the sssd.conf man page there is the option
'single_prompt' documented for '[prompting/2fa]', but since it looks
like you want to allow password and otp you have to take the two prompts
version because otherwise SSSD would not know if you want to use only
the password or if both factor should be used.

HTH

bye,
Sumit

> 
> 
> Regards
> 
> 
> 
> 
> 
> 
> 
> 
> 

> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to