mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
f0d12b7f1b
With commit15ff9c8a check was removed and as a result Kerberos keys are unconditionally added to the user entry struct if they are available. As a result the password related pre-authentication methods PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH reply to an AS_REQ. With respect to the KDC policies this does not matter much because if password authentication is disabled for the given principal the policy will reject the AS_REQ if the user tries password authentication. This is possible because with commit15ff9c8kinit will ask for a password if called without any additional options (e.g. armor ticket or PKINIT identity). Before15ff9c8was committed it just failed with 'kinit: Pre-authentication failed: Invalid argument while getting initial credentials' because no suitable pre-authentication method was available. This is the same behavior as if no password was set for the given principal. But with this change SSSD fails to detect the available authentication types for the given principal properly. As described in https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html SSSD uses the MIT Kerberos responder interface to determine the available authentication methods for the principal and does not check the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp) authentication configured, which implies that a password is set as the first factor, the responder interface will always indicate that password authentication is available even if only opt is enabled for the user. In this case SSSD will use a prompting which indicates that the second factor might be optional. Additionally if prompting the user directly is not possible (e.g. ssh with ChallengeResponseAuthentication / KbdInteractiveAuthentication disabled) the single string entered by the user will always be assumed as a password and not as a combination of password and otp-token value. As a consequence authentication will always fail because password authentication is disabled for the user and since SSSD does not do try-and-error 2FA is not tried. This patch add back the check so that if password authentication is not available for the principal the Kerberos will not be added to the entry struct and the KDC will not advertise PA-ENC-TIMESTAMP or PA-ETYPE-INFO2. If you think this is wrong and the behavior added by15ff9c8should be preferred SSSD handing of the available authentication types must be extended to read ipaUserAuthType as well to restore the user experience with respect to 2FA prompting and ssh behavior. Related to https://pagure.io/freeipa/issue/8001 Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
FreeIPA Server
FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.
FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.
FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.
Benefits
FreeIPA:
- Allows all your users to access all the machines with the same credentials and security settings
- Allows users to access personal files transparently from any machine in an authenticated and secure way
- Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
- Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
- Enables delegation of selected administrative tasks to other power users
- Integrates into Active Directory environments
Components
The FreeIPA project provides unified installation and management tools for the following components:
- LDAP Server - based on the 389 project
- KDC - based on MIT Kerberos implementation
- PKI based on Dogtag project
- Samba libraries for Active Directory integration
- DNS Server based on BIND and the Bind-DynDB-LDAP plugin
Project Website
Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .
Documentation
The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .
Quick Start
To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide
For developers
- Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory
Licensing
Please see the file called COPYING.
Contacts
- If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
- If you have a bug report please submit it at: https://pagure.io/freeipa/issues
- If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join us in IRC at irc://irc.freenode.net/freeipa