rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   07426ed34f82f9b5494bb5393ee39c2ab6113c30
  2.   SOURCES
  3.   0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
Blob History Raw
07426e 
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
07426e 
From: Julien Rische <jrische@redhat.com>
07426e 
Date: Tue, 1 Feb 2022 16:43:09 +0100
07426e 
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
07426e
07426e 
Since 5d51ae5, principal keys were dropped in case user auth indicator
07426e 
was not including password. Thereafter, the key removal behavior was
07426e 
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
07426e 
Support for hardened pre-auth methods (FAST and SPAKE) was added in
07426e 
d057040, and the removal of principal keys was restored afterwards by
07426e 
f0d12b7, but not taking the new hardened auth indicator into account.
07426e
07426e 
Fixes: https://pagure.io/freeipa/issue/9065
07426e 
Related to: https://pagure.io/freeipa/issue/8001
07426e
07426e 
Signed-off-by: Julien Rische <jrische@redhat.com>
07426e 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
07426e 
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
07426e 
---
07426e 
 daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
07426e 
 1 file changed, 12 insertions(+), 11 deletions(-)
07426e
07426e 
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
07426e 
index 15f3df4fe..0d0d3748c 100644
07426e 
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
07426e 
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
07426e 
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
07426e 
                                       &res_key_data, &result, &mkvno);
07426e 
     switch (ret) {
07426e 
     case 0:
07426e 
-        /* Only set a principal's key if password auth can be used. Otherwise
07426e 
-         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
07426e 
-         * reply for AS-REQs which indicate the password authentication is
07426e 
-         * available. This might confuse applications like e.g. SSSD which try
07426e 
-         * to determine suitable authentication methods and corresponding
07426e 
-         * prompts with the help of MIT Kerberos' responder interface which
07426e 
-         * acts on the returned pre-authentication methods. A typical example
07426e 
-         * is enforced OTP authentication where of course keys are available
07426e 
-         * for the first factor but password authentication should not be
07426e 
-         * advertised by the KDC. */
07426e 
-        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
07426e 
+        /* Only set a principal's key if password or hardened auth can be used.
07426e 
+         * Otherwise the KDC would add pre-authentication methods to the
07426e 
+         * NEEDED_PREAUTH reply for AS-REQs which indicate the password
07426e 
+         * authentication is available. This might confuse applications like
07426e 
+         * e.g. SSSD which try to determine suitable authentication methods and
07426e 
+         * corresponding prompts with the help of MIT Kerberos' responder
07426e 
+         * interface which acts on the returned pre-authentication methods. A
07426e 
+         * typical example is enforced OTP authentication where of course keys
07426e 
+         * are available for the first factor but password authentication
07426e 
+         * should not be advertised by the KDC. */
07426e 
+        if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
07426e 
+            (ua != IPADB_USER_AUTH_NONE)) {
07426e 
             /* This is the same behavior as ENOENT below. */
07426e 
             ipa_krb5_free_key_data(res_key_data, result);
07426e 
             break;
07426e 
--
07426e 
2.34.1
07426e
07426e 
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
07426e 
From: Julien Rische <jrische@redhat.com>
07426e 
Date: Tue, 1 Feb 2022 19:38:29 +0100
07426e 
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
07426e
07426e 
Signed-off-by: Julien Rische <jrische@redhat.com>
07426e 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
07426e 
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
07426e 
---
07426e 
 ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
07426e 
 1 file changed, 28 insertions(+), 2 deletions(-)
07426e
07426e 
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
07426e 
index 63e75ae67..9489fbc97 100644
07426e 
--- a/ipatests/test_integration/test_krbtpolicy.py
07426e 
+++ b/ipatests/test_integration/test_krbtpolicy.py
07426e 
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
07426e 
         result = master.run_command('klist | grep krbtgt')
07426e 
         assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
07426e
07426e 
-    def test_krbtpolicy_hardended(self):
07426e 
-        """Test a hardened kerberos ticket policy with 10 min tickets"""
07426e 
+    def test_krbtpolicy_password_and_hardended(self):
07426e 
+        """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
07426e 
         master = self.master
07426e 
         master.run_command(['ipa', 'user-mod', USER1,
07426e 
                             '--user-auth-type', 'password',
07426e 
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
07426e 
         result = master.run_command('klist | grep krbtgt')
07426e 
         assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
07426e
07426e 
+    def test_krbtpolicy_hardended(self):
07426e 
+        """Test a hardened kerberos ticket policy with 30min tickets"""
07426e 
+        master = self.master
07426e 
+        master.run_command(['ipa', 'user-mod', USER1,
07426e 
+                            '--user-auth-type', 'hardened'])
07426e 
+        master.run_command(['ipa', 'config-mod',
07426e 
+                            '--user-auth-type', 'hardened'])
07426e 
+        master.run_command(['ipa', 'krbtpolicy-mod', USER1,
07426e 
+                            '--hardened-maxlife', '1800'])
07426e 
+
07426e 
+        tasks.kdestroy_all(master)
07426e 
+
07426e 
+        master.run_command(['kinit', USER1],
07426e 
+                           stdin_text=PASSWORD + '\n')
07426e 
+        result = master.run_command('klist | grep krbtgt')
07426e 
+        assert maxlife_within_policy(result.stdout_text, 1800,
07426e 
+                                     slush=1800) is True
07426e 
+
07426e 
+        tasks.kdestroy_all(master)
07426e 
+
07426e 
+        # Verify that the short policy only applies to USER1
07426e 
+        master.run_command(['kinit', USER2],
07426e 
+                           stdin_text=PASSWORD + '\n')
07426e 
+        result = master.run_command('klist | grep krbtgt')
07426e 
+        assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
07426e 
+
07426e 
     def test_krbtpolicy_password(self):
07426e 
         """Test the kerberos ticket policy which issues 20 min tickets"""
07426e 
         master = self.master
07426e 
--
07426e 
2.34.1
07426e

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation