#9065 Can't log in after ipa user-mod USER --user-auth-type=hardened
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by yrro.

Issue

I've modified a user to require hardened information and they can't log in any more.

Steps to Reproduce

  1. ipa user-mod USER --user-auth-type=hardened
  2. KRB5_TRACE=/dev/stderr kinit -c MEMORY: USER

Actual behavior

No password prompt, error message: kinit: Pre-authentication failed: Invalid argument while getting initial credentials

Expected behavior

Password prompt followed by successful authentication

Version/Release/Distribution]

On RHEL 8:

ipa-server-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
ipa-client-4.9.6-10.module+el8.5.0+13587+92118e57.x86_64
389-ds-base-1.4.3.23-10.module+el8.5.0+12398+47000435.x86_64
pki-ca-10.11.2-2.module+el8.5.0+12735+8eb38ccc.noarch
krb5-server-1.18.2-14.el8.x86_64

Also seen on CentOS Stream 9:

ipa-server-4.9.6-9.el9.x86_64
ipa-client-4.9.6-9.el9.x86_64
389-ds-base-2.0.11-3.el9.x86_64
pki-ca-11.0.1-3.el9.noarch
krb5-server-1.19.1-12.el9.x86_64

Additional info:

krb5 trace from kinit command:
[admin@ipa-test0 ~]$ KRB5_TRACE=/dev/stderr KRB5CCNAME=MEMORY: kinit htest
[3910683] 1639666477.833986: Getting initial credentials for htest@IPATEST.QQ
[3910683] 1639666477.833988: Sending unauthenticated request
[3910683] 1639666477.833989: Sending request (167 bytes) to IPATEST.QQ
[3910683] 1639666477.833990: Initiating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833991: Sending TCP request to stream 192.168.0.7:88
[3910683] 1639666477.833992: Received answer (234 bytes) from stream 192.168.0.7:88
[3910683] 1639666477.833993: Terminating TCP connection to stream 192.168.0.7:88
[3910683] 1639666477.833994: Response was from primary KDC
[3910683] 1639666477.833995: Received error from KDC: -1765328359/Additional pre-authentication required
[3910683] 1639666477.833998: Preauthenticating using KDC method data
[3910683] 1639666477.833999: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[3910683] 1639666477.834000: Received cookie: MIT
[3910683] 1639666477.834001: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834002: Preauth module pkinit (147) (info) returned: 0/Success
[3910683] 1639666477.834003: PKINIT client received freshness token from KDC
[3910683] 1639666477.834004: Preauth module pkinit (150) (info) returned: 0/Success
[3910683] 1639666477.834005: PKINIT client has no configured identity; giving up
[3910683] 1639666477.834006: Preauth module pkinit (16) (real) returned: 22/Invalid argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials

When trying to SSH in as the user:

==> /var/log/sssd/sssd_kcm.log <==
(2021-12-16 15:08:00): [kcm] [server_setup] (0x1f7c0): Starting with debug level = 0x0070

==> /var/log/sssd/krb5_child.log <==
(2021-12-16 15:08:00): [krb5_child[3910870]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]
*** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x0400): krb5_child started.
* (2021-12-16 15:08:00): [krb5_child[3910870]] [unpack_buffer] (0x1000): total buffer size: [107]
* (2021-12-16 15:08:00): [krb5_child[3910870]] [unpack_buffer] (0x0100): cmd [241 (auth)] uid [1829800021] gid [1829800021] validate [true] enterprise principal [false] offline [false] UPN [htest@IPATEST.QQ]
* (2021-12-16 15:08:00): [krb5_child[3910870]] [unpack_buffer] (0x0100): ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
* (2021-12-16 15:08:00): [krb5_child[3910870]] [switch_creds] (0x0200): Switch user to [1829800021][1829800021].
* (2021-12-16 15:08:00): [krb5_child[3910870]] [switch_creds] (0x0200): Switch user to [0][0].
* (2021-12-16 15:08:00): [krb5_child[3910870]] [k5c_check_old_ccache] (0x4000): Ccache_file is [KCM:] and is not active and TGT is valid.
* (2021-12-16 15:08:00): [krb5_child[3910870]] [k5c_precreate_ccache] (0x4000): Recreating ccache
* (2021-12-16 15:08:00): [krb5_child[3910870]] [k5c_setup_fast] (0x0100): Fast principal is set to [host/ipa-test0.example.qq@IPATEST.QQ]
* (2021-12-16 15:08:00): [krb5_child[3910870]] [find_principal_in_keytab] (0x4000): Trying to find principal host/ipa-test0.example.qq@IPATEST.QQ in keytab.
* (2021-12-16 15:08:00): [krb5_child[3910870]] [match_principal] (0x1000): Principal matched to the sample (host/ipa-test0.example.qq@IPATEST.QQ).
* (2021-12-16 15:08:00): [krb5_child[3910870]] [check_fast_ccache] (0x0200): FAST TGT is still valid.
* (2021-12-16 15:08:00): [krb5_child[3910870]] [become_user] (0x0200): Trying to become user [1829800021][1829800021].
* (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x2000): Running as [1829800021][1829800021].
* (2021-12-16 15:08:00): [krb5_child[3910870]] [set_lifetime_options] (0x0100): No specific renewable lifetime requested.
* (2021-12-16 15:08:00): [krb5_child[3910870]] [set_lifetime_options] (0x0100): No specific lifetime requested.
* (2021-12-16 15:08:00): [krb5_child[3910870]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true]
* (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x0400): Will perform auth
* (2021-12-16 15:08:00): [krb5_child[3910870]] [main] (0x0400): Will perform online auth
* (2021-12-16 15:08:00): [krb5_child[3910870]] [tgt_req_child] (0x1000): Attempting to get a TGT
* (2021-12-16 15:08:00): [krb5_child[3910870]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPATEST.QQ]
* (2021-12-16 15:08:00): [krb5_child[3910870]] [get_and_save_tgt] (0x0020): 1724: [-1765328174][Pre-authentication failed: Invalid argument]
***
BACKTRACE DUMP ENDS HERE *****

(2021-12-16 15:08:00): [krb5_child[3910870]] [map_krb5_error] (0x0020): [1432158222][Failure setting user credentials].


Thoughts:

I think it is due to this handling of 'ua' (user auth) in case 0 below where IPADB_USER_AUTH_HARDENED should have also be considered:
https://pagure.io/freeipa/blob/master/f/daemons/ipa-kdb/ipa_kdb_principals.c#_786

    ret = ipadb_ldap_attr_to_key_data(lcontext, lentry,
                                      "krbPrincipalKey",
                                      &res_key_data, &result, &mkvno);
    switch (ret) {
    case 0:
        /* Only set a principal's key if password auth can be used. Otherwise
         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
         * reply for AS-REQs which indicate the password authentication is
         * available. This might confuse applications like e.g. SSSD which try
         * to determine suitable authentication methods and corresponding
         * prompts with the help of MIT Kerberos' responder interface which
         * acts on the returned pre-authentication methods. A typical example
         * is enforced OTP authentication where of course keys are available
         * for the first factor but password authentication should not be
         * advertised by the KDC. */
        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
            /* This is the same behavior as ENOENT below. */
            ipa_krb5_free_key_data(res_key_data, result);
            break;
        }

        entry->key_data = res_key_data;
        entry->n_key_data = result;
        if (mkvno) {
            krb5_int16 kvno16le = htole16((krb5_int16)mkvno);

            kerr = ipadb_set_tl_data(entry, KRB5_TL_MKVNO,
                                     sizeof(kvno16le),
                                     (krb5_octet *)&kvno16le);
            if (kerr) {
                goto done;
            }
        }
    case ENOENT:
        break;
    default:
        kerr = KRB5_KDB_INTERNAL_ERROR;
        goto done;
    }

Metadata Update from @abbra:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2033342

2 years ago

That change was introduced in commit f0d12b7. It is worth to read the commit's message. I think that with addition of IPADB_USER_AUTH_HARDENED, we missed this place.

@sbose what do you think?

That change was introduced in commit f0d12b7. It is worth to read the commit's message. I think that with addition of IPADB_USER_AUTH_HARDENED, we missed this place.

@sbose what do you think?

Hi,

yes, IPADB_USER_AUTH_HARDENED should be added here.

bye,
Sumit

Metadata Update from @ftrivino:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6161

2 years ago

master:

  • 35e94be ipa-kdb: do not remove keys for hardened auth-enabled users
  • 97d123c ipatests: add case for hardened-only ticket policy

ipa-4-9:

  • 6d70421 ipa-kdb: do not remove keys for hardened auth-enabled users
  • 294ae35 ipatests: add case for hardened-only ticket policy

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata