#4411 Unable to kinit with OTP
Opened 7 years ago by edewata. Modified 3 months ago

If OTP is enabled the user cannot perform kinit.

Steps to reproduce:
1. As admin, create a new user with password.
2. Enable OTP authentication for this user.
3. Create an either TOTP or HOTP token for this user.
4. Run kinit as this user.

Actual result:

$ kinit testuser
kinit: Generic preauthentication failure while getting initial credentials

When the OTP authentication is disabled for this user, kinit will work normally (i.e. prompting for password).

Expected result: The kinit should work with OTP.


Currently, this is either "by design" or "known issue." FAST is required, so you need to use the kinit -T option. We are currently exploring enabling FAST automatically where possible. For more details, see: http://mailman.mit.edu/pipermail/krbdev/2014-May/011958.html

Nathaniel, please update the design document to mention this limitation and then close this ticket.

FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.

Not a priority for 4.0 - postponing.

4.1.4 was released, moving to new milestone

FreeIPA 4.2.1 was released, moving to 4.2.x.

It seems like this makes it impossible to enrol a new system with ipa-client-install , if the user(s) who can enrol new systems are 2FA-only?

I wanted to make it so my FreeIPA admin user is 2FA-only, but if I try to enrol a new client with freeipa-client-install , it seems it calls 'kinit admin@mydomain -c /tmp/sometmpfile' and hits exactly this error...so I'm kinda stuck, right, unless I temporarily disable 2FA for my admin user? That sucks.

edit: well, you can use a one-time password for enrolment I guess.

This is the current limitation of kinit. Sorry.

Requires SPAKE or #5678 therefore moving out of 4.3.x

Metadata Update from @edewata:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.5 backlog

4 years ago

It seems like this makes it impossible to enrol a new system with ipa-client-install , if the user(s) who can enrol new systems are 2FA-only?
I wanted to make it so my FreeIPA admin user is 2FA-only, but if I try to enrol a new client with freeipa-client-install , it seems it calls 'kinit admin @mydomain -c /tmp/sometmpfile' and hits exactly this error...so I'm kinda stuck, right, unless I temporarily disable 2FA for my admin user? That sucks.
edit: well, you can use a one-time password for enrolment I guess.

@adamwill How did you solve this?

@rdegraaff We have a separate issue to track enrollment with 2FA enabled. Since we now support PKINIT in 4.5+, this can be done by utilizing anonymous PKINIT. See https://pagure.io/freeipa/issue/6665

Metadata Update from @abbra:
- Issue close_status updated to: None

3 years ago

@rdegraaff sorry, I honestly don't remember whether or how I did. I probably temporarily disabled 2FA.

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1510734 (was: 0)

3 years ago

For anyone ending up in this thread, please follow these steps to make kinit work with OTP: https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit

Login to comment on this ticket.

Metadata