[Freeipa-devel] FreeIPA OTP End-to-End

Mon Dec 23 16:07:27 UTC 2013


----- Original Message -----
> From: "Simo Sorce" <simo at redhat.com>
> To: "Alexander Bokovoy" <abokovoy at redhat.com>
> Cc: dpal at redhat.com, freeipa-devel at redhat.com
> Sent: Monday, December 23, 2013 5:11:27 PM
> Subject: Re: [Freeipa-devel] FreeIPA OTP End-to-End
> 
> On Mon, 2013-12-23 at 04:54 -0500, Alexander Bokovoy wrote:
> > 
> > ----- Original Message -----
> > > From: "Dmitri Pal" <dpal at redhat.com>
> > > To: freeipa-devel at redhat.com
> > > Sent: Saturday, December 14, 2013 12:45:28 AM
> > > Subject: Re: [Freeipa-devel] FreeIPA OTP End-to-End
> > > 
> > > On 12/13/2013 03:57 PM, Nathaniel McCallum wrote:
> > > > This is an email to track the status of the OTP project as we push
> > > > toward completion. I'm also attempting to get all the pieces in play so
> > > > that they are testable.
> > > >
> > > > RPMs
> > > > Available here: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
> > > > These currently contain the CLI and UI patches, but exclude the DS
> > > > plugin patch. I will merge this last patch in when submitted to the
> > > > list.
> > > >
> > > > OTP CLI
> > > > All of the patches are merged except npmccallum-0024, which is
> > > > undergoing active review.
> > > > https://www.redhat.com/archives/freeipa-devel/2013-December/msg00102.html
> > > >
> > > > OTP UI
> > > > Thanks to Petr Vobornik for his set of patches implementing the UI.
> > > > They
> > > > can be found rebased on top of my otp changes here:
> > > > https://github.com/npmccallum/freeipa/commits/otpui
> > > >
> > > > Authentication methods and RADIUS proxy support seems to be fully
> > > > functional and I have not encountered any bugs. I'm not currently able
> > > > to get the OTP UI to show up at all (I may well be doing something
> > > > wrong).
> > > >
> > > > I believe Petr plans to clean these up and resubmit them to the list.
> > > >
> > > > One additional patch will be required for the token sync extop.
> > > >
> > > > DS PLUGIN
> > > > I am nearing completion on the DS plugin providing support for deletion
> > > > protection and the token sync extop. This should hit the list next
> > > > week.
> > > >
> > > > OTHER
> > > > Am I missing anything?
> > > 
> > > Did you update the wiki page? I think it was one of the outstanding
> > > items.
> > > Any unit tests?
> > > Any way to include some testes for Continues Integration?
> > > Anything SELinux related?
> > > Default configuration of locations and names of sockets and files?
> > > Things like that.
> > I've fixed Web UI and have it working now. Patch attached.
> > 
> > Additionally, there are two AVCs that need to be fixed on Fedora 20:
> > 
> > type=AVC msg=audit(1387751773.915:1221): avc:  denied  { write } for  pid=3
> > 361 comm="krb5kdc" name="DEFAULT.socket" dev="dm-0" ino=276499 scontext=sys
> > tem_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tc
> > lass=sock_file
> > type=AVC msg=audit(1387751773.915:1221): avc:  denied  { connectto } for  p
> > id=3361 comm="krb5kdc" path="/var/kerberos/krb5kdc/DEFAULT.socket" scontext
> > =system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass
> > =unix_stream_socket
> > 
> > they are fixed with following rules:
> > 
> > allow krb5kdc_t init_t:unix_stream_socket connectto;
> 
> Shouuldn't systemd assign a different label to the socket instead ?
We didn't assign specific label, we have bug https://bugzilla.redhat.com/show_bug.cgi?id=970169 
for that but it is still under development by SELinux team.

> Is krb5kdc_conf_t actually the right label ? Doesn't look like.
> 
> > We need to fix documentation now that the comand set is called otptoken-*,
> > also help messages in ipalib/plugins/otptoken.py need update.
> > 
> > When both password and otp are enabled for the user, only a password
> > authentication is working.
> > 
> > What does not yet work is end-to-end kinit without armoured ccache.
> 
> Isn't this by design ? We can only trust OTP to send clear text
> credentials if you can use FAST and encrypt the channel.
What I mean is that we should make the client to use FAST automatically by itself
when PKI anchors are set and KDC answers with request for pre-auth. Sure, we need to fix our part too,
ticket https://fedorahosted.org/freeipa/ticket/521, but right now we don't have any choice for
users who switched to 2FA -- they have no method to create armoured ccache at all.

> > This also is the case for PAM-based logins through SSSD.
> 
> Do you have FAST enabled in SSSD ?
Yes, and it is broken: https://fedorahosted.org/sssd/ticket/2186

> > Armoured ccache works:
> > [root at master ~]# kinit -k
> > [root at master ~]# klist
> > Ticket cache: KEYRING:persistent:0:krb_ccache_vTaHGz9
> > Default principal: host/master.ipa.test at IPA.TEST
> > 
> > Valid starting       Expires              Service principal
> > 12/23/2013 11:40:02  12/24/2013 11:40:02  krbtgt/IPA.TEST at IPA.TEST
> > [root at master ~]# kinit -T KEYRING:persistent:0:krb_ccache_vTaHGz9
> > ab at IPA.TEST
> > Enter OTP Token Value:
> > [root at master ~]# klist
> > Ticket cache: KEYRING:persistent:0:0
> > Default principal: ab at IPA.TEST
> > 
> > Valid starting       Expires              Service principal
> > 12/23/2013 11:40:59  12/24/2013 11:40:45  krbtgt/IPA.TEST at IPA.TEST
> > 
> > What I would like to see is either automated armouring or use of fully
> > anonymous principal for armouring.
> 
> Automated canont be done if you are a regular user unless PKINIT is
> configured on the KDC. Unfortunately although I did 90% of the work to
> enable pkinit by default years ago, we never merged it in because we
> cannot yet generate the required profile to release the certificate to
> the KDC.
I'd say making it complete is a prerequisite for real use of our OTP.

> > Additionally, FreeOTP QR-code capture seems to treat Galaxy S4 mini's
> > camera wrongly,
> > I see the viewfinder mirrored -- up is down and left is right. This makes
> > almost impossible
> > to focus on the QR code in web UI.
> 
> Time to open a bug on https://fedorahosted.org/freeotp :-)
Done.
-- 
/ Alexander Bokovoy