|
 |
b7b64b |
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
|
|
|
b7b64b |
From: Julien Rische <jrische@redhat.com>
|
|
|
b7b64b |
Date: Tue, 1 Feb 2022 16:43:09 +0100
|
|
|
b7b64b |
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
|
|
|
b7b64b |
|
|
|
b7b64b |
Since 5d51ae5, principal keys were dropped in case user auth indicator
|
|
|
b7b64b |
was not including password. Thereafter, the key removal behavior was
|
|
|
b7b64b |
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
|
|
|
b7b64b |
Support for hardened pre-auth methods (FAST and SPAKE) was added in
|
|
|
b7b64b |
d057040, and the removal of principal keys was restored afterwards by
|
|
|
b7b64b |
f0d12b7, but not taking the new hardened auth indicator into account.
|
|
|
b7b64b |
|
|
|
b7b64b |
Fixes: https://pagure.io/freeipa/issue/9065
|
|
|
b7b64b |
Related to: https://pagure.io/freeipa/issue/8001
|
|
|
b7b64b |
|
|
|
b7b64b |
Signed-off-by: Julien Rische <jrische@redhat.com>
|
|
|
b7b64b |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
b7b64b |
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
|
b7b64b |
---
|
|
|
b7b64b |
daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
|
|
|
b7b64b |
1 file changed, 12 insertions(+), 11 deletions(-)
|
|
|
b7b64b |
|
|
|
b7b64b |
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
b7b64b |
index 15f3df4fe..0d0d3748c 100644
|
|
|
b7b64b |
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
b7b64b |
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
|
b7b64b |
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
|
b7b64b |
&res_key_data, &result, &mkvno);
|
|
|
b7b64b |
switch (ret) {
|
|
|
b7b64b |
case 0:
|
|
|
b7b64b |
- /* Only set a principal's key if password auth can be used. Otherwise
|
|
|
b7b64b |
- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
|
|
|
b7b64b |
- * reply for AS-REQs which indicate the password authentication is
|
|
|
b7b64b |
- * available. This might confuse applications like e.g. SSSD which try
|
|
|
b7b64b |
- * to determine suitable authentication methods and corresponding
|
|
|
b7b64b |
- * prompts with the help of MIT Kerberos' responder interface which
|
|
|
b7b64b |
- * acts on the returned pre-authentication methods. A typical example
|
|
|
b7b64b |
- * is enforced OTP authentication where of course keys are available
|
|
|
b7b64b |
- * for the first factor but password authentication should not be
|
|
|
b7b64b |
- * advertised by the KDC. */
|
|
|
b7b64b |
- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
|
|
|
b7b64b |
+ /* Only set a principal's key if password or hardened auth can be used.
|
|
|
b7b64b |
+ * Otherwise the KDC would add pre-authentication methods to the
|
|
|
b7b64b |
+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
|
|
|
b7b64b |
+ * authentication is available. This might confuse applications like
|
|
|
b7b64b |
+ * e.g. SSSD which try to determine suitable authentication methods and
|
|
|
b7b64b |
+ * corresponding prompts with the help of MIT Kerberos' responder
|
|
|
b7b64b |
+ * interface which acts on the returned pre-authentication methods. A
|
|
|
b7b64b |
+ * typical example is enforced OTP authentication where of course keys
|
|
|
b7b64b |
+ * are available for the first factor but password authentication
|
|
|
b7b64b |
+ * should not be advertised by the KDC. */
|
|
|
b7b64b |
+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
|
|
|
b7b64b |
+ (ua != IPADB_USER_AUTH_NONE)) {
|
|
|
b7b64b |
/* This is the same behavior as ENOENT below. */
|
|
|
b7b64b |
ipa_krb5_free_key_data(res_key_data, result);
|
|
|
b7b64b |
break;
|
|
|
b7b64b |
--
|
|
|
b7b64b |
2.34.1
|
|
|
b7b64b |
|
|
|
b7b64b |
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
|
|
|
b7b64b |
From: Julien Rische <jrische@redhat.com>
|
|
|
b7b64b |
Date: Tue, 1 Feb 2022 19:38:29 +0100
|
|
|
b7b64b |
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
|
|
|
b7b64b |
|
|
|
b7b64b |
Signed-off-by: Julien Rische <jrische@redhat.com>
|
|
|
b7b64b |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
b7b64b |
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
|
b7b64b |
---
|
|
|
b7b64b |
ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
|
|
|
b7b64b |
1 file changed, 28 insertions(+), 2 deletions(-)
|
|
|
b7b64b |
|
|
|
b7b64b |
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
|
|
|
b7b64b |
index 63e75ae67..9489fbc97 100644
|
|
|
b7b64b |
--- a/ipatests/test_integration/test_krbtpolicy.py
|
|
|
b7b64b |
+++ b/ipatests/test_integration/test_krbtpolicy.py
|
|
|
b7b64b |
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
|
|
|
b7b64b |
result = master.run_command('klist | grep krbtgt')
|
|
|
b7b64b |
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
|
b7b64b |
|
|
|
b7b64b |
- def test_krbtpolicy_hardended(self):
|
|
|
b7b64b |
- """Test a hardened kerberos ticket policy with 10 min tickets"""
|
|
|
b7b64b |
+ def test_krbtpolicy_password_and_hardended(self):
|
|
|
b7b64b |
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
|
|
|
b7b64b |
master = self.master
|
|
|
b7b64b |
master.run_command(['ipa', 'user-mod', USER1,
|
|
|
b7b64b |
'--user-auth-type', 'password',
|
|
|
b7b64b |
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
|
|
|
b7b64b |
result = master.run_command('klist | grep krbtgt')
|
|
|
b7b64b |
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
|
b7b64b |
|
|
|
b7b64b |
+ def test_krbtpolicy_hardended(self):
|
|
|
b7b64b |
+ """Test a hardened kerberos ticket policy with 30min tickets"""
|
|
|
b7b64b |
+ master = self.master
|
|
|
b7b64b |
+ master.run_command(['ipa', 'user-mod', USER1,
|
|
|
b7b64b |
+ '--user-auth-type', 'hardened'])
|
|
|
b7b64b |
+ master.run_command(['ipa', 'config-mod',
|
|
|
b7b64b |
+ '--user-auth-type', 'hardened'])
|
|
|
b7b64b |
+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
|
|
|
b7b64b |
+ '--hardened-maxlife', '1800'])
|
|
|
b7b64b |
+
|
|
|
b7b64b |
+ tasks.kdestroy_all(master)
|
|
|
b7b64b |
+
|
|
|
b7b64b |
+ master.run_command(['kinit', USER1],
|
|
|
b7b64b |
+ stdin_text=PASSWORD + '\n')
|
|
|
b7b64b |
+ result = master.run_command('klist | grep krbtgt')
|
|
|
b7b64b |
+ assert maxlife_within_policy(result.stdout_text, 1800,
|
|
|
b7b64b |
+ slush=1800) is True
|
|
|
b7b64b |
+
|
|
|
b7b64b |
+ tasks.kdestroy_all(master)
|
|
|
b7b64b |
+
|
|
|
b7b64b |
+ # Verify that the short policy only applies to USER1
|
|
|
b7b64b |
+ master.run_command(['kinit', USER2],
|
|
|
b7b64b |
+ stdin_text=PASSWORD + '\n')
|
|
|
b7b64b |
+ result = master.run_command('klist | grep krbtgt')
|
|
|
b7b64b |
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
|
|
b7b64b |
+
|
|
|
b7b64b |
def test_krbtpolicy_password(self):
|
|
|
b7b64b |
"""Test the kerberos ticket policy which issues 20 min tickets"""
|
|
|
b7b64b |
master = self.master
|
|
|
b7b64b |
--
|
|
|
b7b64b |
2.34.1
|
|
|
b7b64b |
|