Bug 1200873
| Summary: | [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | |
| Severity: | unspecified | Docs Contact: | Milan Navratil <mnavrati> | |
| Priority: | medium | |||
| Version: | 7.0 | CC: | grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, nsoman, pbrezina, preichl | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.13.0-0.1.alpha.el7 | Doc Type: | Release Note | |
| Doc Text: |
Multi-step prompting for one-time and long-term passwords
When using a one-time password (a token) together with a long-term password to log in, the user is prompted for both passwords separately. This results in better user experience when using one-time passwords as well as a safer long-term password extraction, which allows long-term password caching to be used for offline authentication.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1249088 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 11:36:09 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1181710 | |||
|
Description
Martin Kosek
2015-03-11 14:35:33 UTC
Upstream ticket: https://fedorahosted.org/sssd/ticket/2729 Additional fix: b698a04b37ad33e3de5bee82edc6e0e7b5ba2cfe Verified using ipa-server-4.2.0-10.el7.x86_64 Added ipa user, assigned otp token, config'd user to auth using otp Then auth'd this user using two factor auth: # su - admin su: warning: cannot change directory to /home/admin: No such file or directory -bash-4.2$ su - one First Factor: Second Factor: Last login: Mon Sep 21 21:57:50 EDT 2015 on pts/0 su: warning: cannot change directory to /home/one: No such file or directory -sh-4.2$ id uid=792800001(one) gid=792800001(one) groups=792800001(one) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.2$ klist Ticket cache: KEYRING:persistent:792800001:krb_ccache_QTO0sZK Default principal: one Valid starting Expires Service principal 09/21/2015 21:58:44 09/22/2015 21:58:43 krbtgt/TESTRELM.TEST tested user can auth with server offline. # ipactl stop -bash-4.2$ su - one Password: Last login: Mon Sep 21 22:16:53 EDT 2015 on pts/0 su: warning: cannot change directory to /home/one: No such file or directory -sh-4.2$ klist Ticket cache: KEYRING:persistent:792800001:krb_ccache_QTO0sZK Default principal: one Valid starting Expires Service principal 09/21/2015 21:58:44 09/22/2015 21:58:43 krbtgt/TESTRELM.TEST Verified even though login was at 22:16, old tkt was not refreshed since user is auth'ing offline # ipactl start Verified local user can still login as it would normally: [root@dell-per320-01 ~]# useradd linuxuser1 [root@dell-per320-01 ~]# passwd linuxuser1 [linuxuser1@dell-per320-01 ~]$ su - admin Password: Last login: Mon Sep 21 22:17:17 EDT 2015 on pts/0 su: warning: cannot change directory to /home/admin: No such file or directory -bash-4.2$ su - linuxuser1 Password: Last login: Mon Sep 21 22:23:15 EDT 2015 on pts/0 Was not prompted for two factors Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html |