[Freeipa-users] 2FA and AllowNTHash

Thu Jan 5 10:57:31 UTC 2017

Hi Brian

Thank You for your answer.
It started working, not sure yet why it did not work. I need to do some
extensive testing.

So, I've actually followed the blogposts you've mentioned to setup
ipanthash + freeradius.

Maybe I'll paraphrase the question.

It would suffice if I could tell IPA to use pass+otp only instead of both
(Password+ pass+otp) for particular hosts.
So for example users from hosts X can login with OTP only.

Thanks for help!

On Tue, Jan 3, 2017 at 7:02 PM, Brian Candler <b.candler at pobox.com> wrote:

> On 03/01/2017 15:28, Maciej Drobniuch wrote:
>
>> We have a topo with 3x IPA servers + freeradius.
>>
>> Freeradius is being used to do mschap with wifi APs. Freeradius connects
>> over ldap to IPA.
>>
>> In order to do the challange-response thing, freeipa has AllowNTHash
>> enabled.
>>
>> So I wanted to enable 2FA/OTP but leave the NTHash as is for wifi auth.
>>
>> In the moment I disallow Password auth for a user and enable OTP the wifi
>> auth stopps working, but the hash clearly stays in ldap.
>>
> How are you actually authenticating the user? Are you just reading the
> ipaNTHash out of the LDAP database and letting FreeRADIUS check it? Then
> AFAICS it shouldn't make any different whether OTP is enabled or not.  Can
> you show more of your RADIUS config, and the debug output from the part
> which authenticates the user?
>
> I don't use OTP myself, but I wouldn't expect the ipaNTHash to change
> depending on whether OTP is enabled or not (and you're saying the hash
> stays put).
>
> I have what sounds like a similar setup to yours, using FreeRADIUS 3.0.12
> talking to FreeIPA 4.4.0, using a service user which has permissions to
> read out the ipaNTHash directly, based on this blog post:
> http://firstyear.id.au/blog/html/2015/07/06/FreeIPA:_Giving_
> permissions_to_service_accounts..html
>
> ldap config:
>
>         base_dn = 'cn=users,cn=accounts,dc=ipa,dc=example,dc=com'
>
>         sasl {
>                 mech = 'GSSAPI'
>                 realm = 'IPA.EXAMPLE.COM'
>         }
>
>         update {
>                 control:NT-Password             := 'ipaNTHash'
>                 control:Tmp-String-9            := 'krbPasswordExpiration'
>         }
>
>         user {
>                 base_dn = "${..base_dn}"
>                 filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
>                 scope = "one"
>         }
>
>         group {
>                 membership_attribute = 'memberOf'
>                 name_attributes = 'cn'
>
>                 cacheable_dn = 'yes'
>                 cacheable_name = 'no'
>         }
>
> default and inner-tunnel authentication is then just:
>
> authenticate {
>         Auth-Type PAP {
>                 pap
>         }
>
>         Auth-Type MS-CHAP {
>                 mschap
>         }
>
>         eap
> }
>
> Also you need to put the service user's keytab somewhere, and set a couple
> of environment variables when it starts, if you want to use Kerberos to
> protect the LDAP connection. Using systemd override:
>
> [Unit]
> Requires=dirsrv.target
> After=dirsrv.target
>
> [Service]
> Environment=KRB5_CLIENT_KTNAME=/etc/radiusd.keytab
> Environment=KRB5CCNAME=MEMORY:
> Restart=always
> RestartSec=5
>
> (Otherwise you can bind with a specific dn and password, but then you also
> need to sort out TLS to secure the LDAP traffic)
>
> There is more magic you can do with the krbPasswordExpiration attribute to
> force the user to do a password change over MSCHAP - but that's now
> straying a long way from what's relevant on a FreeIPA mailing list.
>
> HTH,
>
> Brian.
>

-- 
Best regards

Maciej Drobniuch
Network Security Engineer
Collective-Sense,LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170105/6bc00271/attachment.htm>