freeipa

Clone
Source Code
GIT

#8304 [fed32] client-install does not properly set ChallengeResponseAuthentication yes in sshd conf
Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.

Closed: fixed
Reopen Issue

The nightly test test_integration/test_otp.py::TestOTPToken::test_2fa_enable_single_prompt failed in testing_master_latest, in PR 4627. See the logs:

self = <ipatests.test_integration.test_otp.TestOTPToken object at 0x7f5874e0a760>

    def test_2fa_enable_single_prompt(self):
        """Test ssh with 2FA when single prompt is enabled.

        Test for : https://pagure.io/SSSD/sssd/issue/3264

        When [prompting/2fa/sshd] with single_prompt = True is set
        then during ssh it should be prompted with given message
        for first and second factor at once.
        """
        master = self.master
        USER1 = 'sshuser1'
        sssd_conf_backup = tasks.FileBackup(master, paths.SSSD_CONF)
        first_prompt = 'Please enter password + OTP token value:'
        add_contents = textwrap.dedent('''
            [prompting/2fa/sshd]
            single_prompt = True
            first_prompt = {0}
            ''').format(first_prompt)
        set_sssd_conf(master, add_contents)
        tasks.create_active_user(master, USER1, PASSWORD)
        tasks.kinit_admin(master)
        master.run_command(['ipa', 'user-mod', USER1, '--user-auth-type=otp'])
        try:
            otpuid, totp = add_otptoken(master, USER1, otptype='totp')
            master.run_command(['ipa', 'otptoken-show', otpuid])
            otpvalue = totp.generate(int(time.time())).decode('ascii')
            answers = {
                first_prompt: '{0}{1}'.format(PASSWORD, otpvalue),
            }
>           ssh_2f(master.hostname, USER1, answers)

test_integration/test_otp.py:254: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
test_integration/test_otp.py:105: in ssh_2f
    trans.auth_interactive(username, answer_handler)
../paramiko/transport.py:1633: in auth_interactive
    return self.auth_handler.wait_for_response(my_event)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <paramiko.auth_handler.AuthHandler object at 0x7f5874d4c5e0>
event = <threading.Event object at 0x7f5874d5af70>

    def wait_for_response(self, event):
        max_ts = None
        if self.transport.auth_timeout is not None:
            max_ts = time.time() + self.transport.auth_timeout
        while True:
            event.wait(0.1)
            if not self.transport.is_active():
                e = self.transport.get_exception()
                if (e is None) or issubclass(e.__class__, EOFError):
                    e = AuthenticationException("Authentication failed.")
                raise e
            if event.is_set():
                break
            if max_ts is not None and max_ts <= time.time():
                raise AuthenticationException("Authentication timeout.")

        if not self.is_authenticated():
            e = self.transport.get_exception()
            if e is None:
                e = AuthenticationException("Authentication failed.")
            # this is horrible.  Python Exception isn't yet descended from
            # object, so type(e) won't work. :(
            if issubclass(e.__class__, PartialAuthentication):
                return e.allowed_types
>           raise e
E           paramiko.ssh_exception.BadAuthenticationType: Bad authentication type; allowed types: ['publickey', 'gssapi-keyex', 'gssapi-with-mic', 'password']

../paramiko/auth_handler.py:250: BadAuthenticationType

Metadata Update from @frenaud:
- Issue tagged with: test-failure, tests
3 years ago

The test succeeds in fedora 31 but fails in fedora 32. In fedora 32, sshd has a drop-in directory /etc/ssh/sshd_config.d/ that allows to include additional configuration files and 05-redhat.conf is shipped in this directory, setting ChallengeResponseAuthentication no. As a consequence, the ssh client unconditionally just prompts for a password and the PAM conversation is not available.

ipa-client-install is setting ChallengeResponseAuthentication yes but in the file /etc/ssh/sshd_config and it looks like the settings in 05-redhat.conf wins, resulting in ChallengeResponseAuthentication no.

We should probably also use a drop-in config file and make sure that it has higher priority.

Metadata Update from @frenaud:
- Issue assigned to frenaud
3 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4839
3 years ago

master:

  • 3cf9979 ipa-client-install: use sshd drop-in configuration
  • 511f519 client install: fix broken sshd config

ipa-4-8:

  • b317222 ipa-client-install: use sshd drop-in configuration
  • 3ea611c client install: fix broken sshd config

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
3 years ago

Metadata Update from @frenaud:
- Custom field changelog adjusted to ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence.
3 years ago

Fixing this created another problem, because the spec trigger doesn't ensure that sshd_config actually includes the snippet files: https://pagure.io/freeipa/issue/8535

Login to comment on this ticket.

Metadata

tests test-failure

None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/4839
None
None
None
None
None
None
ipa-client-installation now writes the sshd configuration to the drop-in directory /etc/ssh/sshd_config.d/, in the 04-ipa.conf snippet, thus ensuring that the setting "ChallengeResponseAuthentication yes" take precedence.
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.