freeipa

Clone
Source Code
GIT

#7168 IPA failing to authenticate via password+OTP on RHEL7.4 with fips enabled
Closed: fixed 6 years ago Opened 6 years ago by pvoborni.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1486286

Description of problem:

IPA(IdM) installed on RHEL 7.4 with fips mode enabled, fails to authenticate
with password+OTP.  In the same setup with fips mode disabled, the password+otp
authenticates successfully.

Version-Release number of selected component (if applicable):

RHEL 7.4
Kernel - 3.10.0-693.1.1.el7.x86_64
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.4 (Maipo)

FIPS  mode enabled
# cat /proc/sys/crypto/fips_enabled
1

IPA
VERSION: 4.5.0, API_VERSION: 2.228 - ipa-server-4.5.0-21.el7.x86_64

FreeOTP version 1.5 (17)


How reproducible:


Steps to Reproduce:
1. Install RHEL7.4 and enable FIPS mode
2. Add a user and enable two factor authentication
3. Add OTP token from FreeOTP
4. Login with password+otp

Actual results:
Login fails as if wrong credentials supplied.

Expected results:
Successful authentication

Additional info:

Metadata Update from @pvoborni:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1486286
6 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
6 years ago

Metadata Update from @fbarreto:
- Issue assigned to fbarreto
6 years ago

Metadata Update from @fbarreto:
- Assignee reset
6 years ago

This is most likely RADIUS breaking. It uses md5.

Specifically:

https://github.com/krb5/krb5/blob/master/src/lib/krad/attr.c#L157

https://github.com/krb5/krb5/blob/master/src/lib/krad/packet.c#L190

The internal usage of RADIUS (over a UNIX domain socket) is not a problem. Only root can read the packets. However, in FIPS mode, the RADIUS forwarding feature will have to be disabled.

Unfortunately, this setting does not include RADIUS at all, even though that one would not work either if MD5 is required for it.
I was able to reproduce this issue on a machine in our lab, we can discuss this later today on IRC.

Metadata Update from @stlaz:
- Issue assigned to stlaz
6 years ago

Alexander pointed out to me the internals of our OTP system, I was not aware of the use of RADIUS, thus my previous comment is incorrect. @npmccallum - thanks for the pointers!

master:

  • 16a952a Don't allow OTP or RADIUS in FIPS mode

ipa-4-5:

  • 2364880 Don't allow OTP or RADIUS in FIPS mode

ipa-4-6:

  • 61e7c41 Don't allow OTP or RADIUS in FIPS mode

Metadata Update from @stlaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

master:

  • c9c58f2 Fix OTP validation in FIPS mode
  • a01a24c Increase the default token key size
  • d498d72 Revert "Don't allow OTP or RADIUS in FIPS mode"

ipa-4-6:

  • acb59fc Fix OTP validation in FIPS mode
  • 6d4ce79 Increase the default token key size
  • 1df9767 Revert "Don't allow OTP or RADIUS in FIPS mode"

Sorry, I closed the issue a little bit too quickly. We still need to wait for the backport to ipa-4-5

Metadata Update from @frenaud:
- Issue status updated to: Open (was: Closed)
6 years ago

ipa-4-5:

  • 52c5998 Fix OTP validation in FIPS mode
  • c7d383c Increase the default token key size
  • 98efe7c Revert "Don't allow OTP or RADIUS in FIPS mode"

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1486286
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.