[Freeipa-devel] [PATCHES 0089-0093] Authentication Indicators

Nathaniel McCallum npmccallum at redhat.com
Thu May 12 21:33:26 UTC 2016 

On Fri, 2016-05-06 at 14:44 +0200, Sumit Bose wrote:
> On Wed, May 04, 2016 at 05:33:55PM -0400, Nathaniel McCallum wrote:
> > This series of patches implements authentication indicator
> > insertion,
> > evaluation and management in FreeIPA. Besides these patches, two
> > other
> > patches are needed to round out support.
> > 
> > First, we need a UI patch: https://fedorahosted.org/freeipa/ticket/
> > 5872
> > 
> > Second, we need a SSSD patch to handle the new case where multiple
> > responders are set (when either 1FA or 2FA can be used).
> 
> I've already some initial work done here and will continue with your
> patches.
> 
> > 
> > Please note that the last patch in this series (0093) is untested
> > and
> > simply represents my desire to get these patches off of my hard
> > disk
> > before I take a long weekend. This patch also requires mrogers'
> > patch
> > 0001 (already merged to master).
> > 
> > Also worthy of note is the need for an OID for the authentication
> > control. Hopefully Simo can assign this after we agree that this
> > control method is sufficient. One question I had was whether or not
> > it
> > would be possible to send the control only on UNIX sockets (0089;
> > report_auth_method()).
> > 
> > Please review the approaches taken here. I plan to hit this hard on
> > Monday.
> 
> I'm on a conference next week and currently busy preparing my
> presentation. I will give you feedback in the following week.

Thanks!

The attached patches offer the latest version of the work. The only
major outstanding item that I see is OID assignment (which we can do
just before committing).

I have tested the full stack both for appropriate approvals and denials
across all possible scenarios. In short it works.

The easiest way to test this is as following:

# After Clean Install of FreeIPA
$ kinit admin

# Add a service allowed by either 1FA or 2FA
$ ipa service-add ANY/ipa.example.com
$ ipa-getkeytab -p ANY/ipa.example.com -k /tmp/any.keytab

# Add a service allowed only by 2FA
$ ipa service-add OTP/ipa.example.com --auth-ind=otp
$ ipa-getkeytab -p OTP/ipa.example.com -k /tmp/otp.keytab

# Add the test user
$ ipa user-add test --user-auth-type=otp --user-auth-type=password
$ ipa passwd test
$ kinit test

# Try to get tickets for the services
$ kvno ANY/ipa.example.com # Expected success
$ kvno OTP/ipa.example.com # Expected failure

# Add a token and login with 2FA
$ ipa otptoken-add
$ kinit -T <ccache> test # Log in with 2FA

# Try to get tickets for the services
$ kvno ANY/ipa.example.com #
Expected success
$ kvno OTP/ipa.example.com # Expected success
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0005-Enable-service-authentication-indicator-management.patch
Type: text/x-patch
Size: 6254 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160512/ac513be5/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Enable-authentication-indicators-for-OTP-and-RADIUS.patch
Type: text/x-patch
Size: 1986 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160512/ac513be5/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Return-password-only-preauth-if-passwords-are-allowe.patch
Type: text/x-patch
Size: 1676 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160512/ac513be5/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Ensure-that-ipa-otpd-bind-auths-validate-an-OTP.patch
Type: text/x-patch
Size: 5568 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160512/ac513be5/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Rename-syncreq.-ch-to-otpctrl.-ch.patch
Type: text/x-patch
Size: 4934 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160512/ac513be5/attachment-0004.bin>

More information about the Freeipa-devel mailing list