[Freeipa-devel] FreeIPA OTP End-to-End

Alexander Bokovoy abokovoy at redhat.com
Mon Dec 23 09:54:35 UTC 2013



----- Original Message -----
> From: "Dmitri Pal" <dpal at redhat.com>
> To: freeipa-devel at redhat.com
> Sent: Saturday, December 14, 2013 12:45:28 AM
> Subject: Re: [Freeipa-devel] FreeIPA OTP End-to-End
> 
> On 12/13/2013 03:57 PM, Nathaniel McCallum wrote:
> > This is an email to track the status of the OTP project as we push
> > toward completion. I'm also attempting to get all the pieces in play so
> > that they are testable.
> >
> > RPMs
> > Available here: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
> > These currently contain the CLI and UI patches, but exclude the DS
> > plugin patch. I will merge this last patch in when submitted to the
> > list.
> >
> > OTP CLI
> > All of the patches are merged except npmccallum-0024, which is
> > undergoing active review.
> > https://www.redhat.com/archives/freeipa-devel/2013-December/msg00102.html
> >
> > OTP UI
> > Thanks to Petr Vobornik for his set of patches implementing the UI. They
> > can be found rebased on top of my otp changes here:
> > https://github.com/npmccallum/freeipa/commits/otpui
> >
> > Authentication methods and RADIUS proxy support seems to be fully
> > functional and I have not encountered any bugs. I'm not currently able
> > to get the OTP UI to show up at all (I may well be doing something
> > wrong).
> >
> > I believe Petr plans to clean these up and resubmit them to the list.
> >
> > One additional patch will be required for the token sync extop.
> >
> > DS PLUGIN
> > I am nearing completion on the DS plugin providing support for deletion
> > protection and the token sync extop. This should hit the list next week.
> >
> > OTHER
> > Am I missing anything?
> 
> Did you update the wiki page? I think it was one of the outstanding items.
> Any unit tests?
> Any way to include some testes for Continues Integration?
> Anything SELinux related?
> Default configuration of locations and names of sockets and files?
> Things like that.
I've fixed Web UI and have it working now. Patch attached.

Additionally, there are two AVCs that need to be fixed on Fedora 20:

type=AVC msg=audit(1387751773.915:1221): avc:  denied  { write } for  pid=3
361 comm="krb5kdc" name="DEFAULT.socket" dev="dm-0" ino=276499 scontext=sys
tem_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tc
lass=sock_file
type=AVC msg=audit(1387751773.915:1221): avc:  denied  { connectto } for  p
id=3361 comm="krb5kdc" path="/var/kerberos/krb5kdc/DEFAULT.socket" scontext
=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass
=unix_stream_socket

they are fixed with following rules:

allow krb5kdc_t init_t:unix_stream_socket connectto;
allow krb5kdc_t krb5kdc_conf_t:sock_file write;

We need to fix documentation now that the comand set is called otptoken-*,
also help messages in ipalib/plugins/otptoken.py need update.

When both password and otp are enabled for the user, only a password authentication is working.

What does not yet work is end-to-end kinit without armoured ccache. 
This also is the case for PAM-based logins through SSSD.

Armoured ccache works:
[root at master ~]# kinit -k
[root at master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_vTaHGz9
Default principal: host/master.ipa.test at IPA.TEST

Valid starting       Expires              Service principal
12/23/2013 11:40:02  12/24/2013 11:40:02  krbtgt/IPA.TEST at IPA.TEST
[root at master ~]# kinit -T KEYRING:persistent:0:krb_ccache_vTaHGz9 ab at IPA.TEST
Enter OTP Token Value: 
[root at master ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ab at IPA.TEST

Valid starting       Expires              Service principal
12/23/2013 11:40:59  12/24/2013 11:40:45  krbtgt/IPA.TEST at IPA.TEST

What I would like to see is either automated armouring or use of fully anonymous principal for armouring. 
We have PKI anchors set by default for all FreeIPA clients already, so making possible to obtain a ticket
as a WELLKNOWN/ANONYMOUS at REALM principal purely for armouring would be great. 

Additionally, FreeOTP QR-code capture seems to treat Galaxy S4 mini's camera wrongly,
I see the viewfinder mirrored -- up is down and left is right. This makes almost impossible
to focus on the QR code in web UI.

-- 
/ Alexander Bokovoy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0016-OTP-UI-use-otptoken-handle-since-the-IPA-commands-ar.patch
Type: text/x-patch
Size: 2988 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131223/aa19b2ad/attachment.bin>


More information about the Freeipa-devel mailing list