[Freeipa-users] Password and OTP auth

Andrey Dudin dudin.andrey at gmail.com
Wed May 17 10:06:11 UTC 2017 

Hello

If I do  ipa user-mod test --user-auth-type=password --user-auth-type=otp I
have user:

[root at ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: test at MYDOMAIN.COM
  Principal alias: test at MYDOMAIN.COM
  Email address: test at mydomain.com
  UID: 152200001
  GID: 152200001
  User authentication types: otp, password
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True

I can login into ipa-client.mydomain.com to ssh using password+otp token,
but for login to IPA Web UI I also need password+otp. I need just password
for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com.


[root at ipa-centos]# ipa service-show HTTP/
ipa-centos.mydomain.com at MYDOMAIN.COM --raw
  krbcanonicalname: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM
  krbprincipalname: HTTP/ipa-centos.mydomain.com at MYDOMAIN.COM
  usercertificate: %cert%
  subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM
  serial_number: 9
  serial_number_hex: 0x9
  issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  valid_not_before: Tue May 16 11:32:36 2017 UTC
  valid_not_after: Fri May 17 11:32:36 2019 UTC
  md5_fingerprint: e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1
  sha1_fingerprint:
de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04
  krbprincipalauthind: password
  has_keytab: TRUE
  managedby: fqdn=ipa-centos.mydomain.com
,cn=computers,cn=accounts,dc=dev,dc=olabs,dc=global

2017-05-17 12:17 GMT+03:00 Sumit Bose <sbose at redhat.com>:

> On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:
> > Thanks, but I think I have a problem.
> >
> > I have test user:
> >
> > [root at ipa-centos]# ipa user-show test
> >   User login: test
> >   First name: test
> >   Last name: test
> >   Home directory: /home/test
> >   Login shell: /bin/sh
> >   Principal name: test at MYDOMAIN.COM
> >   Principal alias: test at MYDOMAIN.COM
> >   Email address: test at mydomain.com
> >   UID: 152200001
> >   GID: 152200001
>
> As mentioned in the other thread there should be a listing of user auth
> types here. Please try
>
>     ipa user-mod test --user-auth-type=password --user-auth-type=otp
>
> to allow both password and 2-factor/otp authentication.
>
> >   Account disabled: False
> >   Password: True
> >   Member of groups: trust admins, ipausers, admins
> >   Kerberos keys available: True
> >
> >
> > And test host:
> >
> > [root at ipa-centos]# ipa host-show ipa-client.mydomain.com
> >   Host name: ipa-client.mydomain.com
> >   Principal name: host/ipa-client.mydomain.com at MYDOMAIN.COM
> >   Principal alias: host/ipa-client.mydomain.com at MYDOMAIN.COM
> >   SSH public key fingerprint: %SOME FINGERPRINTS%
> >   Authentication Indicators: otp
> >   Password: False
> >   Keytab: True
> >   Managed by: ipa-client.mydomain.com
> >
> >
> > When I trying to login to ipa-client.mydomain.com with
> password+otptoken I
> > have error:
> >
> > [mynotebook]$ ssh test at ipa-client.mydomain.com
> > test at ipa-client.mydomain.com's password:
>
> Please check if ChallengeResponseAuthentication is enabled in
> /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it
> by setting 'ChallengeResponseAuthentication yes'.
> > Permission denied, please try again.
> >
> >
> > Same if I trying to use just password.
> >
> > On ipa server in krb5kdc.log I see:
> >
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/
> > MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: test at MYDOMAIN.COM for krbtgt/
> > MYDOMAIN.COM at MYDOMAIN.COM, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
> > ses=18}, test at MYDOMAIN.COM for krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime
> 1494946853,
> > test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM,
> Required
> > auth indicators not present in ticket: otp
>
> The otp authentication indicator is missing in the Kerberos ticket of
> the user. I assume that the ticket was requested only with the password.
> Please see above what might be missing.
>
> HTH
>
> bye,
> Sumit
>
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime
> 1494946853,
> > test at MYDOMAIN.COM for host/ipa-client.mydomain.com at MYDOMAIN.COM,
> Required
> > auth indicators not present in ticket: otp
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> >
> > What's wrong?
> >
> > 2017-05-16 17:16 GMT+03:00 Sumit Bose <sbose at redhat.com>:
> >
> > > On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > > > Hello all.
> > > >
> > > > tell me please. Is it possible to use password and otp auth at the
> one
> > > > moment?
> > > >
> > > > For example I have DEV/STAGE servers and want to be able use password
> > > auth
> > > > for ssh, but for PROD servers I want to use OTP auth for same user.
> > >
> > > Authentication indicators can be used for this. If you add
> > >
> > > ipa host-mod --auth-ind=otp prod.server
> > >
> > > Only 2-factor authentication should be possible on prod.server. But
> > > please note that e.g. ssh-key based authentication will still be
> > > possible as well.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> > > > --
> > > > Manage your subscription for the Freeipa-users mailing list:
> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > > Go to http://freeipa.org for more info on the project
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go to http://freeipa.org for more info on the project
> > >
> >
> >
> >
> > --
> > С уважением Дудин Андрей
>



-- 
С уважением Дудин Андрей
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170517/a9f3a306/attachment.htm>

More information about the Freeipa-users mailing list