freeipa

Clone
Source Code
GIT

f0d12b7 ipa-kdb: Remove keys if password auth is disabled

1 file Authored by sbose 4 years ago, Committed by abbra 4 years ago,
raw patch tree parent
1 file changed. 16 lines added. 0 lines removed.
daemons/ipa-kdb/ipa_kdb_principals.c
file modified
+16 -0 
    ipa-kdb: Remove keys if password auth is disabled
    
    With commit 15ff9c8 a check was removed and as a result Kerberos keys
    are unconditionally added to the user entry struct if they are
    available. As a result the password related pre-authentication methods
    PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
    reply to an AS_REQ.
    
    With respect to the KDC policies this does not matter much because if
    password authentication is disabled for the given principal the policy
    will reject the AS_REQ if the user tries password authentication. This
    is possible because with commit 15ff9c8 kinit will ask for a password if
    called without any additional options (e.g. armor ticket or PKINIT
    identity). Before 15ff9c8 was committed it just failed with 'kinit:
    Pre-authentication failed: Invalid argument while getting initial
    credentials' because no suitable pre-authentication method was
    available. This is the same behavior as if no password was set for the
    given principal.
    
    But with this change SSSD fails to detect the available authentication
    types for the given principal properly. As described in
    https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
    SSSD uses the MIT Kerberos responder interface to determine the
    available authentication methods for the principal and does not check
    the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
    authentication configured, which implies that a password is set as the
    first factor, the responder interface will always indicate that password
    authentication is available even if only opt is enabled for the user.
    
    In this case SSSD will use a prompting which indicates that the second
    factor might be optional. Additionally if prompting the user directly is
    not possible (e.g. ssh with ChallengeResponseAuthentication /
    KbdInteractiveAuthentication disabled) the single string entered by the
    user will always be assumed as a password and not as a combination of
    password and otp-token value. As a consequence authentication will
    always fail because password authentication is disabled for the user and
    since SSSD does not do try-and-error 2FA is not tried.
    
    This patch add back the check so that if password authentication is not
    available for the principal the Kerberos will not be added to the entry
    struct and the KDC will not advertise PA-ENC-TIMESTAMP or
    PA-ETYPE-INFO2. If you think this is wrong and the behavior added by
    15ff9c8 should be preferred SSSD handing of the available authentication
    types must be extended to read ipaUserAuthType as well to restore the
    user experience with respect to 2FA prompting and ssh behavior.
    
    Related to https://pagure.io/freeipa/issue/8001
    
    Reviewed-By: Robbie Harwood <rharwood@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
file modified
+16 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.