rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   55f960bbf29f258d50f53e5fe4dc875667c1c048
  2.   SOURCES
  3.   0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
Blob History Raw
e0e1b7 
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
e0e1b7 
From: Julien Rische <jrische@redhat.com>
e0e1b7 
Date: Tue, 1 Feb 2022 16:43:09 +0100
e0e1b7 
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
e0e1b7
e0e1b7 
Since 5d51ae5, principal keys were dropped in case user auth indicator
e0e1b7 
was not including password. Thereafter, the key removal behavior was
e0e1b7 
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
e0e1b7 
Support for hardened pre-auth methods (FAST and SPAKE) was added in
e0e1b7 
d057040, and the removal of principal keys was restored afterwards by
e0e1b7 
f0d12b7, but not taking the new hardened auth indicator into account.
e0e1b7
e0e1b7 
Fixes: https://pagure.io/freeipa/issue/9065
e0e1b7 
Related to: https://pagure.io/freeipa/issue/8001
e0e1b7
e0e1b7 
Signed-off-by: Julien Rische <jrische@redhat.com>
e0e1b7 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
e0e1b7 
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
e0e1b7 
---
e0e1b7 
 daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
e0e1b7 
 1 file changed, 12 insertions(+), 11 deletions(-)
e0e1b7
e0e1b7 
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
e0e1b7 
index 15f3df4fe..0d0d3748c 100644
e0e1b7 
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
e0e1b7 
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
e0e1b7 
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
e0e1b7 
                                       &res_key_data, &result, &mkvno);
e0e1b7 
     switch (ret) {
e0e1b7 
     case 0:
e0e1b7 
-        /* Only set a principal's key if password auth can be used. Otherwise
e0e1b7 
-         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
e0e1b7 
-         * reply for AS-REQs which indicate the password authentication is
e0e1b7 
-         * available. This might confuse applications like e.g. SSSD which try
e0e1b7 
-         * to determine suitable authentication methods and corresponding
e0e1b7 
-         * prompts with the help of MIT Kerberos' responder interface which
e0e1b7 
-         * acts on the returned pre-authentication methods. A typical example
e0e1b7 
-         * is enforced OTP authentication where of course keys are available
e0e1b7 
-         * for the first factor but password authentication should not be
e0e1b7 
-         * advertised by the KDC. */
e0e1b7 
-        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
e0e1b7 
+        /* Only set a principal's key if password or hardened auth can be used.
e0e1b7 
+         * Otherwise the KDC would add pre-authentication methods to the
e0e1b7 
+         * NEEDED_PREAUTH reply for AS-REQs which indicate the password
e0e1b7 
+         * authentication is available. This might confuse applications like
e0e1b7 
+         * e.g. SSSD which try to determine suitable authentication methods and
e0e1b7 
+         * corresponding prompts with the help of MIT Kerberos' responder
e0e1b7 
+         * interface which acts on the returned pre-authentication methods. A
e0e1b7 
+         * typical example is enforced OTP authentication where of course keys
e0e1b7 
+         * are available for the first factor but password authentication
e0e1b7 
+         * should not be advertised by the KDC. */
e0e1b7 
+        if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
e0e1b7 
+            (ua != IPADB_USER_AUTH_NONE)) {
e0e1b7 
             /* This is the same behavior as ENOENT below. */
e0e1b7 
             ipa_krb5_free_key_data(res_key_data, result);
e0e1b7 
             break;
e0e1b7 
--
e0e1b7 
2.34.1
e0e1b7
e0e1b7 
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
e0e1b7 
From: Julien Rische <jrische@redhat.com>
e0e1b7 
Date: Tue, 1 Feb 2022 19:38:29 +0100
e0e1b7 
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
e0e1b7
e0e1b7 
Signed-off-by: Julien Rische <jrische@redhat.com>
e0e1b7 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
e0e1b7 
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
e0e1b7 
---
e0e1b7 
 ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
e0e1b7 
 1 file changed, 28 insertions(+), 2 deletions(-)
e0e1b7
e0e1b7 
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
e0e1b7 
index 63e75ae67..9489fbc97 100644
e0e1b7 
--- a/ipatests/test_integration/test_krbtpolicy.py
e0e1b7 
+++ b/ipatests/test_integration/test_krbtpolicy.py
e0e1b7 
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
e0e1b7 
         result = master.run_command('klist | grep krbtgt')
e0e1b7 
         assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
e0e1b7
e0e1b7 
-    def test_krbtpolicy_hardended(self):
e0e1b7 
-        """Test a hardened kerberos ticket policy with 10 min tickets"""
e0e1b7 
+    def test_krbtpolicy_password_and_hardended(self):
e0e1b7 
+        """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
e0e1b7 
         master = self.master
e0e1b7 
         master.run_command(['ipa', 'user-mod', USER1,
e0e1b7 
                             '--user-auth-type', 'password',
e0e1b7 
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
e0e1b7 
         result = master.run_command('klist | grep krbtgt')
e0e1b7 
         assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
e0e1b7
e0e1b7 
+    def test_krbtpolicy_hardended(self):
e0e1b7 
+        """Test a hardened kerberos ticket policy with 30min tickets"""
e0e1b7 
+        master = self.master
e0e1b7 
+        master.run_command(['ipa', 'user-mod', USER1,
e0e1b7 
+                            '--user-auth-type', 'hardened'])
e0e1b7 
+        master.run_command(['ipa', 'config-mod',
e0e1b7 
+                            '--user-auth-type', 'hardened'])
e0e1b7 
+        master.run_command(['ipa', 'krbtpolicy-mod', USER1,
e0e1b7 
+                            '--hardened-maxlife', '1800'])
e0e1b7 
+
e0e1b7 
+        tasks.kdestroy_all(master)
e0e1b7 
+
e0e1b7 
+        master.run_command(['kinit', USER1],
e0e1b7 
+                           stdin_text=PASSWORD + '\n')
e0e1b7 
+        result = master.run_command('klist | grep krbtgt')
e0e1b7 
+        assert maxlife_within_policy(result.stdout_text, 1800,
e0e1b7 
+                                     slush=1800) is True
e0e1b7 
+
e0e1b7 
+        tasks.kdestroy_all(master)
e0e1b7 
+
e0e1b7 
+        # Verify that the short policy only applies to USER1
e0e1b7 
+        master.run_command(['kinit', USER2],
e0e1b7 
+                           stdin_text=PASSWORD + '\n')
e0e1b7 
+        result = master.run_command('klist | grep krbtgt')
e0e1b7 
+        assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
e0e1b7 
+
e0e1b7 
     def test_krbtpolicy_password(self):
e0e1b7 
         """Test the kerberos ticket policy which issues 20 min tickets"""
e0e1b7 
         master = self.master
e0e1b7 
--
e0e1b7 
2.34.1
e0e1b7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation