rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   a249616514dc5d61acb879b22759acf8a0fb5963
  2.   SOURCES
  3.   0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
Blob History Raw
a24961 
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
a24961 
From: Julien Rische <jrische@redhat.com>
a24961 
Date: Tue, 1 Feb 2022 16:43:09 +0100
a24961 
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
a24961
a24961 
Since 5d51ae5, principal keys were dropped in case user auth indicator
a24961 
was not including password. Thereafter, the key removal behavior was
a24961 
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
a24961 
Support for hardened pre-auth methods (FAST and SPAKE) was added in
a24961 
d057040, and the removal of principal keys was restored afterwards by
a24961 
f0d12b7, but not taking the new hardened auth indicator into account.
a24961
a24961 
Fixes: https://pagure.io/freeipa/issue/9065
a24961 
Related to: https://pagure.io/freeipa/issue/8001
a24961
a24961 
Signed-off-by: Julien Rische <jrische@redhat.com>
a24961 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
a24961 
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
a24961 
---
a24961 
 daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
a24961 
 1 file changed, 12 insertions(+), 11 deletions(-)
a24961
a24961 
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
a24961 
index 15f3df4fe..0d0d3748c 100644
a24961 
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
a24961 
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
a24961 
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
a24961 
                                       &res_key_data, &result, &mkvno);
a24961 
     switch (ret) {
a24961 
     case 0:
a24961 
-        /* Only set a principal's key if password auth can be used. Otherwise
a24961 
-         * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
a24961 
-         * reply for AS-REQs which indicate the password authentication is
a24961 
-         * available. This might confuse applications like e.g. SSSD which try
a24961 
-         * to determine suitable authentication methods and corresponding
a24961 
-         * prompts with the help of MIT Kerberos' responder interface which
a24961 
-         * acts on the returned pre-authentication methods. A typical example
a24961 
-         * is enforced OTP authentication where of course keys are available
a24961 
-         * for the first factor but password authentication should not be
a24961 
-         * advertised by the KDC. */
a24961 
-        if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
a24961 
+        /* Only set a principal's key if password or hardened auth can be used.
a24961 
+         * Otherwise the KDC would add pre-authentication methods to the
a24961 
+         * NEEDED_PREAUTH reply for AS-REQs which indicate the password
a24961 
+         * authentication is available. This might confuse applications like
a24961 
+         * e.g. SSSD which try to determine suitable authentication methods and
a24961 
+         * corresponding prompts with the help of MIT Kerberos' responder
a24961 
+         * interface which acts on the returned pre-authentication methods. A
a24961 
+         * typical example is enforced OTP authentication where of course keys
a24961 
+         * are available for the first factor but password authentication
a24961 
+         * should not be advertised by the KDC. */
a24961 
+        if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
a24961 
+            (ua != IPADB_USER_AUTH_NONE)) {
a24961 
             /* This is the same behavior as ENOENT below. */
a24961 
             ipa_krb5_free_key_data(res_key_data, result);
a24961 
             break;
a24961 
--
a24961 
2.34.1
a24961
a24961 
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
a24961 
From: Julien Rische <jrische@redhat.com>
a24961 
Date: Tue, 1 Feb 2022 19:38:29 +0100
a24961 
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
a24961
a24961 
Signed-off-by: Julien Rische <jrische@redhat.com>
a24961 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
a24961 
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
a24961 
---
a24961 
 ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
a24961 
 1 file changed, 28 insertions(+), 2 deletions(-)
a24961
a24961 
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
a24961 
index 63e75ae67..9489fbc97 100644
a24961 
--- a/ipatests/test_integration/test_krbtpolicy.py
a24961 
+++ b/ipatests/test_integration/test_krbtpolicy.py
a24961 
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
a24961 
         result = master.run_command('klist | grep krbtgt')
a24961 
         assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
a24961
a24961 
-    def test_krbtpolicy_hardended(self):
a24961 
-        """Test a hardened kerberos ticket policy with 10 min tickets"""
a24961 
+    def test_krbtpolicy_password_and_hardended(self):
a24961 
+        """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
a24961 
         master = self.master
a24961 
         master.run_command(['ipa', 'user-mod', USER1,
a24961 
                             '--user-auth-type', 'password',
a24961 
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
a24961 
         result = master.run_command('klist | grep krbtgt')
a24961 
         assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
a24961
a24961 
+    def test_krbtpolicy_hardended(self):
a24961 
+        """Test a hardened kerberos ticket policy with 30min tickets"""
a24961 
+        master = self.master
a24961 
+        master.run_command(['ipa', 'user-mod', USER1,
a24961 
+                            '--user-auth-type', 'hardened'])
a24961 
+        master.run_command(['ipa', 'config-mod',
a24961 
+                            '--user-auth-type', 'hardened'])
a24961 
+        master.run_command(['ipa', 'krbtpolicy-mod', USER1,
a24961 
+                            '--hardened-maxlife', '1800'])
a24961 
+
a24961 
+        tasks.kdestroy_all(master)
a24961 
+
a24961 
+        master.run_command(['kinit', USER1],
a24961 
+                           stdin_text=PASSWORD + '\n')
a24961 
+        result = master.run_command('klist | grep krbtgt')
a24961 
+        assert maxlife_within_policy(result.stdout_text, 1800,
a24961 
+                                     slush=1800) is True
a24961 
+
a24961 
+        tasks.kdestroy_all(master)
a24961 
+
a24961 
+        # Verify that the short policy only applies to USER1
a24961 
+        master.run_command(['kinit', USER2],
a24961 
+                           stdin_text=PASSWORD + '\n')
a24961 
+        result = master.run_command('klist | grep krbtgt')
a24961 
+        assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
a24961 
+
a24961 
     def test_krbtpolicy_password(self):
a24961 
         """Test the kerberos ticket policy which issues 20 min tickets"""
a24961 
         master = self.master
a24961 
--
a24961 
2.34.1
a24961

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation