Le 22/12/2020 à 07:52, Sumit Bose a écrit :
On Tue, Dec 22, 2020 at 01:50:55AM +0100, Abdelkader Chelouah wrote:
Hello,
I configured MIT Krb5-1.18.3 KDC to use FAST OTP with authentication
indicator "*strong*".
$ cat kdc.conf
...
[otp]
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ softid = {
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ server =
192.168.0.68:1812
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ secret =
/etc/.radius.secret
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ strip_realm = true
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ indicator = strong
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #timeout =
<integer> (default: 5 [seconds])
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ #retries =
<integer> (default: 3)
ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ ÃÂ }
The kerberos Realm "DNS.PODMAN" has only two "otp" principals, *alice* and
*bob.*
$ kadmin.local getstrs alice
otp: [{"type":"softid"}]
$ kadmin.local getstrs bob
otp: [{"type":"softid"}
Alice's password was purged with the command
kadmin.local purgekeys -all alice
On the sssd host (RHEL 7.9), sssd service uses the following configuration
file
[sssd]
domains = DNS.PODMAN
services = nss,pam,ssh
config_file_version = 2
debug_level = 9
[nss]
filter_users = root
filter_groups = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75
debug_level = 9
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/DNS.PODMAN]
debug_level = 0x04000
id_provider = ldap
ldap_uri = ldaps://kerb.dns.podman:636/
ldap_search_base = dc=dns,dc=podman
ldap_schema = rfc2307bis
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_sasl_mech = gssapi
ldap_sasl_authid = sssd/sssd.dns.podman
ldap_krb5_keytab = /etc/sssd/sssd.keytab
ldap_krb5_init_creds = true
ldap_krb5_ticket_lifetime = 86400
ldap_user_search_base = ou=people,dc=dns,dc=podman
ldap_user_object_class = posixAccount
ldap_group_search_base = ou=groups,dc=dns,dc=podman
ldap_group_object_class = groupOfNames
ldap_group_gid_number = gidNumber
ldap_group_member = member
auth_provider = krb5
krb5_server = kerb.dns.podman
krb5_realm = DNS.PODMAN
cache_credentials = true
krb5_keytab = /etc/krb5.keytab
krb5_use_fast = try
krb5_fast_principal = host/sssd.dns.podman
min_id = 10000
max_id = 20000
#enumerate = False
enumerate = True
[ssh]
debug_level = 9
# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
ÃÂ ÃÂ 2 host/sssd.dns.podman@DNS.PODMAN
The service principal host/sssd.dns.podman is configured to require the
"strong" authentication indicator value.
$ kadmin getstrs host/sssd.dns.podman
require_auth: strong
When ssh to the sssd host with *alice* account, authentication using otp is
working fine
[root@client /]# ssh alice@sssd
alice@sssd's password: <otp value>
Last login: Sat Dec 19 19:06:36 2020 from client.dns.podman
[alice@sssd ~]
However, if I ssh to the sssd host with *bob* account, I can login with
bob's password even if the service principal host/sssd.dns.podman is
configured to require the "strong" authentication indicator value
[root@client /]# ssh bob@sssd
bob@sssd's password: <bob's password>
Last login: Mon Dec 21 19:05:03 2020 from client.dns.podman
[bob@sssd ~]$
1. Why password authentication for bob principal succeeded while
authentication indicator is "strong" ?
2. Is it possible to configure sssd to enforce "otp" authentication ?
Hi,
I think it should work as you expect it if you add
krb5_validate = True
to the [domain/...] section of sssd.conf.
This option is needed because with the default Kerberos authentication
only user related operations are preformed. If FAST is left aside it is
only asking the KDC for a TGT for the user, the KDC at this point cannot
know for which service you would like to use it.
With 'krb5_validate = True' after getting the TGT for the user SSSD will
try to validate it by requesting a service ticket for the principal from
the keytab. At this point the KDC can check the requirements configured
for the host and reject a TGT which does not has the needed
authentication indicators. If the KDC rejects the request the ticket
validation and hence the authentication will fail.
HTH
bye,
Sumit
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Hello Sumit,
Thank you for you quick answer and the hint. Now with "krb5_validate =
true", TGT obtained without the needed authentication indicator is rejected
[root@client shared]# ssh bob@sssd
bob@sssd's password:
Permission denied, please try again.
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional
pre-authentication required
Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17: ISSUE:
authtime 1608638762, etypes {rep=aes256-cts-hmac-sha1-96(18),
tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)},
bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN
Dec 22 12:06:02 kerb.dns.podman krb5kdc[546](info): TGS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
{rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN,
Required auth indicators not present in ticket: strong
Dec 22 12:06:02 kerb.dns.podman krb5kdc[550](info): TGS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
HIGHER_AUTHENTICATION_REQUIRED: authtime 1608638762, etypes
{rep=UNSUPPORTED:(0)} bob@DNS.PODMAN for host/sssd.dns.podman@DNS.PODMAN,
Required auth indicators not present in ticket: strong
However, I'm still not able to login using bob's *otp*
Dec 22 12:05:10 kerb.dns.podman krb5kdc[547](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
NEEDED_PREAUTH: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Additional
pre-authentication required
Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): preauth
(encrypted_challenge) verify failure: Incorrect password in encrypted
challenge
Dec 22 12:05:10 kerb.dns.podman krb5kdc[548](info): AS_REQ (8 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19),
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23),
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.89.0.17:
PREAUTH_FAILED: bob@DNS.PODMAN for krbtgt/DNS.PODMAN@DNS.PODMAN, Incorrect
password in encrypted challenge
pre-authentication using password is prioritized.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_check_old_ccache] (0x4000):
Ccache_file is [FILE:/tmp/krb5cc_10004] and is not active and TGT is not
valid.
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_precreate_ccache] (0x4000):
Recreating ccache
(2020-12-22 12:30:57): [krb5_child[277]] [find_principal_in_keytab]
(0x4000): Trying to find principal host/sssd.dns.podman@DNS.PODMAN in
keytab.
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892571: Getting initial credentials for bob@DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892572: FAST armor ccache:
MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892573: Retrieving host/sssd.dns.podman@DNS.PODMAN ->
krb5_ccache_conf_data/fast_avail/krbtgt\/DNS.PODMAN\@DNS.PODMAN@X-CACHECONF:
from MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result:
-1765328243/Matching credential not found
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892574: Using FAST due to KRB5_FAST_REQUIRED flag
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892575: Getting credentials host/sssd.dns.podman@DNS.PODMAN
-> krbtgt/DNS.PODMAN@DNS.PODMAN using ccache
MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892576: Retrieving host/sssd.dns.podman@DNS.PODMAN ->
krbtgt/DNS.PODMAN@DNS.PODMAN from
MEMORY:/var/lib/sss/db/fast_ccache_DNS.PODMAN with result: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892577: Armor ccache sesion key: aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892579: Creating authenticator for
host/sssd.dns.podman@DNS.PODMAN -> krbtgt/DNS.PODMAN@DNS.PODMAN, seqnum 0,
subkey aes256-cts/F61D, session key aes256-cts/3774
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892581: FAST armor key: aes256-cts/A391
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892583: Sending unauthenticated request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892584: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892585: Sending request (942 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892586: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892587: Received answer (545 bytes) from dgram
10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892588: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892589: Received error from KDC: -1765328359/Additional
pre-authentication required
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892590: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892593: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892594: Processing preauth types: PA-PK-AS-REQ (16),
PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
(141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892595: Selected etype info: etype aes256-cts, salt
"DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892596: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892597: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
question [otp].
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
question [password].
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892598: Preauth module pkinit (147) (info) returned:
0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892599: PKINIT client has no configured identity; giving up
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892600: Preauth module pkinit (16) (real) returned:
22/Invalid argument
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1] EINVAL.
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_prompter] (0x4000):
Prompt [0][Enter OTP Token Value].
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892601: Preauth module otp (141) (real) returned:
-1765328254/Cannot read password
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892603: Preauth module encrypted_challenge (138) (real)
returned: 0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892604: Produced preauth for next request: PA-FX-COOKIE
(133), PA-ENCRYPTED-CHALLENGE (138)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892605: Encoding request body and padata into FAST request
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892606: Sending request (1040 bytes) to DNS.PODMAN
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892607: Sending initial UDP request to dgram 10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892608: Received answer (545 bytes) from dgram
10.89.0.16:88
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892609: Response was from master KDC
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892610: Received error from KDC:
-1765328360/Preauthentication failed
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892611: Decoding FAST response
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892614: Preauthenticating using KDC method data
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892615: Processing preauth types: PA-PK-AS-REQ (16),
PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE
(141), PA-ENCRYPTED-CHALLENGE (138), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892616: Selected etype info: etype aes256-cts, salt
"DNS.PODMANbob", params ""
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892617: Received cookie: MIT
(2020-12-22 12:30:57): [krb5_child[277]] [sss_krb5_responder] (0x4000): Got
question [otp].
(2020-12-22 12:30:57): [krb5_child[277]] [sss_child_krb5_trace_cb] (0x4000):
[277] 1608640257.892618: Preauth module pkinit (147) (info) returned:
0/Success
(2020-12-22 12:30:57): [krb5_child[277]] [k5c_send_data] (0x4000): Response
sent.
Do you know if there is a way to tell sssd to enforce otp authentication
when a fast channel is available ?
I would like also to customize the prompt login for otp authentication.