Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1486286
Description of problem: IPA(IdM) installed on RHEL 7.4 with fips mode enabled, fails to authenticate with password+OTP. In the same setup with fips mode disabled, the password+otp authenticates successfully. Version-Release number of selected component (if applicable): RHEL 7.4 Kernel - 3.10.0-693.1.1.el7.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo) FIPS mode enabled # cat /proc/sys/crypto/fips_enabled 1 IPA VERSION: 4.5.0, API_VERSION: 2.228 - ipa-server-4.5.0-21.el7.x86_64 FreeOTP version 1.5 (17) How reproducible: Steps to Reproduce: 1. Install RHEL7.4 and enable FIPS mode 2. Add a user and enable two factor authentication 3. Add OTP token from FreeOTP 4. Login with password+otp Actual results: Login fails as if wrong credentials supplied. Expected results: Successful authentication Additional info:
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1486286
Metadata Update from @tkrizek: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)
Metadata Update from @fbarreto: - Issue assigned to fbarreto
Metadata Update from @fbarreto: - Assignee reset
This is most likely RADIUS breaking. It uses md5.
Specifically:
https://github.com/krb5/krb5/blob/master/src/lib/krad/attr.c#L157
https://github.com/krb5/krb5/blob/master/src/lib/krad/packet.c#L190
The internal usage of RADIUS (over a UNIX domain socket) is not a problem. Only root can read the packets. However, in FIPS mode, the RADIUS forwarding feature will have to be disabled.
Unfortunately, this setting does not include RADIUS at all, even though that one would not work either if MD5 is required for it. I was able to reproduce this issue on a machine in our lab, we can discuss this later today on IRC.
Metadata Update from @stlaz: - Issue assigned to stlaz
Alexander pointed out to me the internals of our OTP system, I was not aware of the use of RADIUS, thus my previous comment is incorrect. @npmccallum - thanks for the pointers!
master:
ipa-4-5:
ipa-4-6:
Metadata Update from @stlaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Sorry, I closed the issue a little bit too quickly. We still need to wait for the backport to ipa-4-5
Metadata Update from @frenaud: - Issue status updated to: Open (was: Closed)
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.