Bug 1187342

Summary: Login ignores global OTP enablement
Product: Red Hat Enterprise Linux 7 Reporter: Nathaniel McCallum <npmccallum>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.1CC: drieden, mkosek, rcritten
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.1.0-18.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:19:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1187501    
Attachments:
Description Flags
Patch proposal from Nathaniel none

Description Nathaniel McCallum 2015-01-29 19:46:13 UTC 
The setup for this problem is:
  ipa user-add foo
  ipa passwd foo
  kinit foo
  ipa otptoken-add

All of the above works. Now, let's actually enable OTP auth.

This works:
  ipa user-mod foo --user-auth-type=otp

This doesn't (but should):
  ipa config-mod --user-auth-type=otp

In both cases, doing a "kinit -T ... foo" prompts for OTP. In the first case, password + otp is required. In the second case, password-only is required.

Because kinit is prompting for OTP, this means KDB is working properly. Also, because password authentication works in the second case, it means that ipa-otpd is working properly. This means the ipapwd-extop plugin is ignoring the global setting.

This bug was caught by integration tests. I am *not* able to reproduce this bug on upstream FreeIPA, so this appears to be a RHEL specific issue.
Comment 2 Martin Kosek 2015-01-30 08:51:20 UTC 
Created attachment 985898 [details]
Patch proposal from Nathaniel
Comment 5 Namita Soman 2015-02-02 22:20:53 UTC 
Verified using ipa-server-4.1.0-18.el7.x86_64


Steps taken:
Add two users:
# ipa user-add one --first=one --last=one --password
# ipa user-add two --first=two --last=two --password
Set their passwords:
# kinit one
# kinit two
# kinit admin
Add otp tokens for them:
# ipa otptoken-add --type=totp --owner=one --desc="My soft token"
# ipa otptoken-add --type=totp --owner=two --desc="My soft token"
# ipa user-mod one --user-auth-type=otp
Prepare to auth:
# klist
# kinit -T KEYRING:persistent:0:0 one
Can auth using password+otp only
# kinit -T KEYRING:persistent:0:0 two
since auth type is not set for two yet - auth'd using password
# kinit admin
# ipa config-mod --user-auth-type=otp
# kinit -T KEYRING:persistent:0:0 one
# kinit -T KEYRING:persistent:0:0 two
before fix, auth'd using password alone; after fix can auth using password+otp only
Comment 7 errata-xmlrpc 2015-03-05 10:19:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html