Bug 1132365

Summary: Remove password from the PAM stack if OTP is used
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dlavu, dpal, grajaiya, jgalipea, lslebodn, mkosek, pbrezina, preichl
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.12.2-10.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:33:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2014-08-21 08:46:26 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2404

If the krb5_child returns that an OTP was used during authenication (see `parse_krb5_child_response` for more details) we should remove the authtok from the PAM stack to make user the password is not consumed further down the stack, in software like gnome-keyring.
Comment 1 Jakub Hrozek 2014-11-07 14:15:06 UTC 
master: 2368a0fc19bcd56581eccd8397289e4513a383a5
Comment 3 Dan Lavu 2015-01-30 14:16:48 UTC 
VERIFIED on sssd-1.12.2-45.el7.x86_64 , OTP was used with an iPhone 5s, after OTP auth occurred, no further authentication occurred.

**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478559: Upgrading to FAST due to presence of PA_FX_FAST in reply
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478576: FAST armor ccache: MEMORY:/var/lib/sss/db/fast_ccache_TESTRELM.TEST
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478602: Retrieving host/qe-blade-09.testrelm.test -> krb5_ccache_conf_data/fast_avail/krbtgt\/TESTRELM.TEST\@TESTRELM.TEST@X-CACHECONF: from MEMORY:/var/lib/sss/db/fast_ccache_TESTRELM.TEST with result: -1765328243/Matching credential not found
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478629: Getting credentials host/qe-blade-09.testrelm.test -> krbtgt/TESTRELM.TEST using ccache MEMORY:/var/lib/sss/db/fast_ccache_TESTRELM.TEST
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478692: Retrieving host/qe-blade-09.testrelm.test -> krbtgt/TESTRELM.TEST from MEMORY:/var/lib/sss/db/fast_ccache_TESTRELM.TEST with result: 0/Success
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478744: Armor ccache sesion key: aes256-cts/16F7
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478803: Creating authenticator for host/qe-blade-09.testrelm.test -> krbtgt/TESTRELM.TEST, seqnum 0, subkey aes256-cts/150B, session key aes256-cts/16F7
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478909: FAST armor key: aes256-cts/9FB6
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.478956: Encoding request body and padata into FAST request
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.479033: Sending request (1017 bytes) to TESTRELM.TEST
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.479101: Initiating TCP connection to stream 10.16.96.112:88
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.479369: Sending TCP request to stream 10.16.96.112:88
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482369: Received answer (558 bytes) from stream 10.16.96.112:88
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482405: Terminating TCP connection to stream 10.16.96.112:88
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482460: Response was from master KDC
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482487: Received error from KDC: -1765328359/Additional pre-authentication required
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482507: Decoding FAST response
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482591: Processing preauth types: 136, 141, 133, 137
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482609: Received cookie: MIT
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482733: Preauth module otp (141) (real) returned: 0/Success
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482753: Produced preauth for next request: 133, 142
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482769: Encoding request body and padata into FAST request
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482834: Sending request (1159 bytes) to TESTRELM.TEST
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.482880: Initiating TCP connection to stream 10.16.96.112:88
(Fri Jan 30 08:58:06 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626286.483137: Sending TCP request to stream 10.16.96.112:88
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619566: Received answer (911 bytes) from stream 10.16.96.112:88
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619596: Terminating TCP connection to stream 10.16.96.112:88
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619658: Response was from master KDC
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619688: Decoding FAST response
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619753: Processing preauth types: (empty)
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619772: Produced preauth for next request: (empty)
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619792: Salt derived from principal: TESTRELM.TESTtwo
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619822: AS key determined by preauth: aes256-cts/9FB6
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619874: FAST reply key: aes256-cts/D065
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619921: Decrypted AS reply; session key is: aes256-cts/EB7B
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.619960: FAST negotiation: available
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_krb5_expire_callback_func] (0x2000): exp_time: [7773009]
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential.
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.620059: Retrieving host/qe-blade-09.testrelm.test from MEMORY:/etc/krb5.keytab (vno 0, enctype 0) with result: 0/Success
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.620078: Resolving unique ccache of type MEMORY
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.620101: Initializing MEMORY:58Wxq0a with default princ two
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.620128: Removing two -> krbtgt/TESTRELM.TEST from MEMORY:58Wxq0a
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.620148: Storing two -> krbtgt/TESTRELM.TEST in MEMORY:58Wxq0a
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.620171: Getting credentials two -> host/qe-blade-09.testrelm.test using ccache MEMORY:58Wxq0a
(Fri Jan 30 08:58:07 2015) [[sssd[krb5_child[22246]]]] [sss_child_krb5_trace_cb] (0x4000): [22246] 1422626287.620204: Retrieving two -> host/qe-blade-09.testrelm.test from MEMORY:58Wxq0a with result: -1765328243/Matching credential not found
**  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **  **
Comment 5 errata-xmlrpc 2015-03-05 10:33:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html