Bug 1224057
Summary: | [RFE] TGS authorization decisions in KDC based on Authentication Indicator | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> | |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | |
Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
Priority: | unspecified | |||
Version: | 7.0 | CC: | ddas, enewland, ipa-maint, j.bittner, ksiddiqu, mbasti, mvarun, npmccallum, pvoborni, rcritten | |
Target Milestone: | rc | Keywords: | FutureFeature | |
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.4.0-0.el7.1.alpha1 | Doc Type: | Enhancement | |
Doc Text: |
IdM now supports TGS authorization decisions
In an Identity Management (IdM) environment, users can optionally log in using multi-factor authentication. The Kerberos ticket from the ticket granting server (TGS) now contains an indicator if two-factor authentication using a standard password in combination with a one-time password (OTP) was used. This enables the administrator to set server-side policies for resources, and the users are allowed to access based upon the type of their logins. For example, the administrator can now allow the user to log in to the desktop either using one- or two-factor authentication, but require two-factor authentication for virtual private networks (VPN) logins.
By default, all services accept all tickets. To activate this granularity, you have to manage the policies in the IdM web user interface or use the "ipa service-*" and "ipa host-*" commands.
|
Story Points: | --- | |
Clone Of: | ||||
: | 1368411 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 05:45:46 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1368411 |
Description
Martin Kosek
2015-05-22 06:37:14 UTC
More authentication indicator information: http://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator Upstream ticket: https://fedorahosted.org/freeipa/ticket/5782 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/8a2afcafee977675fc289acab50cc808b469a2b3 Upstream ticket: https://fedorahosted.org/freeipa/ticket/5872 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/cd9bc84240c99ed744e5ee44db18d925a5292ffd https://fedorahosted.org/freeipa/changeset/168a6c7d4778a2a3c729e3ac24e4ad9dfacb46c0 https://fedorahosted.org/freeipa/changeset/204200d73bb135cb7b9b31b8f1ba5268d73094a5 https://fedorahosted.org/freeipa/changeset/8f356a4305a9aa74aacae36806d6e8ed1b765245 Leaving assigned, more patches will come 433 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/4ded2ffc161ec649ba1ccf8d0b528d24028080df Web UI part -5872 fixed upstream master: https://fedorahosted.org/freeipa/changeset/afededacb92ce1903885b265c7adca87b634c21a Host object support: master: https://fedorahosted.org/freeipa/changeset/0855b014b1edcb1632a41e380220abd7bb5e481a https://fedorahosted.org/freeipa/changeset/55049fceb978f2e20b13800b77775377428de386 https://fedorahosted.org/freeipa/changeset/ec6925e775598602e909d7a1f226f0c1e28cb074 Permissions added upstream master: https://fedorahosted.org/freeipa/changeset/97db87b383b1ae4639bdb51793354bad30adf5a9 https://fedorahosted.org/freeipa/changeset/235b19ba7f9807ecf10436d1a5b28518b4475a70 tests pushed upstream: master: https://fedorahosted.org/freeipa/changeset/0f9a5ce6b4c533647b8894f516e34bea8184f1b8 https://fedorahosted.org/freeipa/changeset/dcdbbb975927a24ec05f7addefd59c71823a57c2 https://fedorahosted.org/freeipa/changeset/aab861142d3aec503ebae4779fbfa1858e20f451 Verified Scenario 1: Modify existing service entry to different authentication indicator as user Setup Service entry with an authentication indicator already exists. Action 1) Kinit as normal user 2) Modify existing service entry to different authentication indicator. # klist Ticket cache: KEYRING:persistent:0:krb_ccache_lm6SFga Default principal: tuser01 Valid starting Expires Service principal 2016-08-03T17:54:22 2016-08-04T17:53:53 HTTP/client1.testrelm.test 2016-08-03T17:54:10 2016-08-04T17:53:53 krbtgt/TESTRELM.TEST # ipa service-mod --auth-ind= HTTP/client1.testrelm.test ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalAuthInd' attribute of entry 'krbprincipalname=http/client1.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test'. Expected result: Modification should fail because of insufficient access =================================================================== Scenario 2: Add another authentication indicators for existing service. Setup Service entry with an any one authentication indicator already exists. Action 1) Verify service entry # kinit admin Password for admin: # ipa service-show HTTP/client1.testrelm.test Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp Keytab: True Managed by: client1.testrelm.test 2) Modify existing service entry to add another authentication indicator. # ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp, radius Managed by: client1.testrelm.test Expected result: Authentication indicator added successfully and Both authentication indicator should be exists =================================================================== Scenario 3: Access service only with otp authentication Setup : User already exists with authentication types 'otp', 'radius' and 'password'. Action 1) Modify existing service entry to add sufficient otp authentication indicator. # ipa service-mod --auth-ind=otp HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp Managed by: client1.testrelm.test 2) kinit user with password only # kinit tuser01 Password for tuser01: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK Default principal: tuser01 Valid starting Expires Service principal 2016-08-04T19:29:17 2016-08-05T19:29:14 krbtgt/TESTRELM.TEST 3) Try to access service. # kvno HTTP/client1.testrelm.test kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test Expected result: Access to service should not be granted 4) Now kinit user with otp # kinit -T KEYRING:persistent:0:0 tuser01 Enter OTP Token Value: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK Default principal: tuser01 Valid starting Expires Service principal 2016-08-04T19:32:11 2016-08-05T19:31:40 krbtgt/TESTRELM.TEST 5) Try to access service now. [root@master72 ~]# kvno HTTP/client1.testrelm.test HTTP/client1.testrelm.test: kvno = 1 Expect output: Access to service should be granted. =================================================================== Scenario 4: Add multiple authentication indicator for service and try to access with different authentication types users(otpuser and radiususer) Setup : User1(otpuser) already exists with authentication types 'otp' User2(radiususer) already exists with authentication types 'radius' Action: 1) Add multiple authentication indicator for service #ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp, radius Managed by: client1.testrelm.test 2) Kinit as Radius user and Try to access service #kinit -T KEYRING:persistent:0:0 radiususer Enter OTP Token Value: # kvno HTTP/client1.testrelm.test HTTP/client1.testrelm.test: kvno = 1 Expected output: Access to service should be granted for radiususer 3) Kinit as OTP user and Try to access same service # kinit -T KEYRING:persistent:0:0 otpuser Enter OTP Token Value: # kvno HTTP/client1.testrelm.test HTTP/client1.testrelm.test: kvno = 1 Expected result: Access to service should be granted for otpuser too. =================================================================== Scenario 5: Add new authentication indicator for service and try to access with OTP and Radius authentication types users Setup User1(otpuser) already exists with authentication types 'otp' User2(radiususer) already exists with authentication types 'radius' Action: 1) Add new authentication indicator for service # ipa service-mod --auth-ind=newauth HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: newauth Managed by: client1.testrelm.test 2) Kinit as Radius user and Try to access service #kinit -T KEYRING:persistent:0:0 radiususer Enter OTP Token Value: # kvno HTTP/client1.testrelm.test kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test Expected output: Access to service should not be granted for radiususer. 3) Kinit as OTP user and Try to access same service # kinit -T KEYRING:persistent:0:0 otpuser Enter OTP Token Value: # kvno HTTP/client1.testrelm.test kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test Expected result: Access to service should not be granted for otpuser. =================================================================== Scenario 6: Add authentication indicator with leading space 1)Modify --auth-ind with leading space #ipa service-mod --auth-ind=' otp' HTTP/client1.testrelm.test ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed Expected output:- authentication indicator should not added =================================================================== Scenario 7: Add authentication indicator with trailing space 1) #ipa service-mod --auth-ind='otp ' HTTP/client1.testrelm.test ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed Expected output:- authentication indicator should not added =================================================================== Scenario 8: Try to access host with sufficient authentication Setup User already exists with authentication types 'radius'. Action 1) Modify existing host entry to add radius authentication indicator. # ipa host-mod client1.testrelm.test --auth-ind=radius ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: radius Password: False Keytab: True Managed by: client1.testrelm.test Expected result: Authentication indicator added successfully for existing host. 2) login/kinit as radius user # kinit -T KEYRING:persistent:0:0 tuser02 Enter OTP Token Value: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_aUg7vyl Default principal: tuser02 Valid starting Expires Service principal 2016-08-08T13:54:20 2016-08-09T13:54:15 krbtgt/TESTRELM.TEST 3) try to ssh to host # ssh -l tuser02 client1.testrelm.test Last login: Mon Aug 8 12:52:05 2016 from master73.testrelm.test -sh-4.2$ Expected result: Authentication should be successful. =================================================================== Scenario 9: Create new host entry with specified authentication indicator. Setup Host entry does not exist. Actions 1) Create new host entry with '--auth-ind=otp' or '--auth-ind=radius' option. # ipa host-add --auth-ind=otp Host name: client1.testrelm.test ---------------------------------- Added host "host128.testrelm.test" ---------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test Authentication Indicators: otp Password: False Keytab: False Managed by: client1.testrelm.test Expected results Host entry should be added successful. =================================================================== Scenario 10: Update existing host entry to another authentication indicator Setup Host entry with OTP authentication indicator already exists. Actions 1) Update existing entry with '--auth-ind=radius' option. # ipa host-mod client1.testrelm.test --auth-ind=radius ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: radius Password: False Keytab: False Managed by: client1.testrelm.test Expected result: Authentication indicator added successfully for existing host. =================================================================== Scenario 11: Verify that both authentication indicators can be set for a host Setup Host entry with no authentication indicator already exists. Actions 1) Try to update the host to contain both 'otp' and 'radius' indicators. #ipa host-mod client1.testrelm.test --auth-ind=radius --auth-ind=otp ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: otp, radius Password: False Keytab: True Managed by: client1.testrelm.test Expected results Should be successful. =================================================================== Scenario 12: Remove authentication indicators form hosts Setup Service entry with an authentication indicator already exists. Actions 1) Update existing entry with blank authentication indicator. # ipa host-mod client1.testrelm.test --auth-ind= ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Password: False Keytab: True Managed by: client1.testrelm.test Expected results Removed existing authentication indicator from host successfully. =================================================================== Scenario 13: Access hosts without authentication indicators Setup 1)User already exists with authentication types 'otp', 'radius' and 'password'. 2)Host with no authentication indicators set already exists. Actions 1) Authenticate as a user using any of the authentication types. Login as user with only password # kinit puser Password for puser: 2) Try to ssh to host # ssh -l puser client1.testrelm.test Last login: Mon Aug 8 15:13:42 2016 from master72.testrelm.test -sh-4.2$ logout Expected results Should be successful. 3) Login as user with otp # kinit -T KEYRING:persistent:0:0 puser Enter OTP Token Value: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5 Default principal: puser 4) Try to ssh to host # ssh -l puser client1.testrelm.test Last login: Mon Aug 8 15:17:26 2016 from master72.testrelm.test -sh-4.2$ Expected results Should grant access for all types of authentication. =================================================================== Scenario 14: Try to access host with insufficient authentication Setup 1) User already exists with authentication types 'otp', 'radius' and 'password'. 2) host with authentication indicator 'otp' only already exists. Actions 1) Modify host with authentication indicator 'otp' # ipa host-mod client1.testrelm.test --auth-ind=otp ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: otp Password: False Keytab: True Managed by: client1.testrelm.test 2) Run kinit as user with password only. # kinit puser Password for puser: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5 Default principal: puser Valid starting Expires Service principal 2016-08-08T16:27:57 2016-08-09T16:27:50 krbtgt/TESTRELM.TEST 3) Try to access host # ssh -l puser client1.testrelm.test First Factor: Expected results: Should refuse access because of host has authentication indicator 'otp' 4) Enter First Factor and Second Factor # ssh -l puser client1.testrelm.test First Factor: Second Factor (optional): Last login: Mon Aug 8 15:18:11 2016 from master72.testrelm.test -sh-4.2$ Expected results: Access Should be successful with key+token =================================================================== Scenario 15: Add authentication indicator with special characters # ipa service-mod --auth-ind='!@#$%^' HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: !@#$%^ Managed by: client1.testrelm.test Expected output: authentication indicator with special characters should added Scenario 16: Add authentication indicator with capital letters (eg: OTP, RADIUS) Add authentication indicator with upper case # ipa service-mod --auth-ind='OTP' HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: OTP Managed by: client1.testrelm.test Expected output: Authentication indicator with upper case is added successfully Verified ipa-server-4.4.0-8.el7.x86_64 Scenario 1: Modify existing service entry to different authentication indicator as user Setup Service entry with an authentication indicator already exists. Action 1) Kinit as normal user 2) Modify existing service entry to different authentication indicator. # klist Ticket cache: KEYRING:persistent:0:krb_ccache_lm6SFga Default principal: tuser01 Valid starting Expires Service principal 2016-08-03T17:54:22 2016-08-04T17:53:53 HTTP/client1.testrelm.test 2016-08-03T17:54:10 2016-08-04T17:53:53 krbtgt/TESTRELM.TEST # ipa service-mod --auth-ind= HTTP/client1.testrelm.test ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalAuthInd' attribute of entry 'krbprincipalname=http/client1.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test'. Expected result: Modification should fail because of insufficient access =================================================================== Scenario 2: Add another authentication indicators for existing service. Setup Service entry with an any one authentication indicator already exists. Action 1) Verify service entry # kinit admin Password for admin: # ipa service-show HTTP/client1.testrelm.test Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp Keytab: True Managed by: client1.testrelm.test 2) Modify existing service entry to add another authentication indicator. # ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp, radius Managed by: client1.testrelm.test Expected result: Authentication indicator added successfully and Both authentication indicator should be exists =================================================================== Scenario 3: Access service only with otp authentication Setup : User already exists with authentication types 'otp', 'radius' and 'password'. Action 1) Modify existing service entry to add sufficient otp authentication indicator. # ipa service-mod --auth-ind=otp HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp Managed by: client1.testrelm.test 2) kinit user with password only # kinit tuser01 Password for tuser01: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK Default principal: tuser01 Valid starting Expires Service principal 2016-08-04T19:29:17 2016-08-05T19:29:14 krbtgt/TESTRELM.TEST 3) Try to access service. # kvno HTTP/client1.testrelm.test kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test Expected result: Access to service should not be granted 4) Now kinit user with otp # kinit -T KEYRING:persistent:0:0 tuser01 Enter OTP Token Value: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK Default principal: tuser01 Valid starting Expires Service principal 2016-08-04T19:32:11 2016-08-05T19:31:40 krbtgt/TESTRELM.TEST 5) Try to access service now. [root@master72 ~]# kvno HTTP/client1.testrelm.test HTTP/client1.testrelm.test: kvno = 1 Expect output: Access to service should be granted. =================================================================== Scenario 4: Add multiple authentication indicator for service and try to access with different authentication types users(otpuser and radiususer) Setup : User1(otpuser) already exists with authentication types 'otp' User2(radiususer) already exists with authentication types 'radius' Action: 1) Add multiple authentication indicator for service #ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: otp, radius Managed by: client1.testrelm.test 2) Kinit as Radius user and Try to access service #kinit -T KEYRING:persistent:0:0 radiususer Enter OTP Token Value: # kvno HTTP/client1.testrelm.test HTTP/client1.testrelm.test: kvno = 1 Expected output: Access to service should be granted for radiususer 3) Kinit as OTP user and Try to access same service # kinit -T KEYRING:persistent:0:0 otpuser Enter OTP Token Value: # kvno HTTP/client1.testrelm.test HTTP/client1.testrelm.test: kvno = 1 Expected result: Access to service should be granted for otpuser too. =================================================================== Scenario 5: Add new authentication indicator for service and try to access with OTP and Radius authentication types users Setup User1(otpuser) already exists with authentication types 'otp' User2(radiususer) already exists with authentication types 'radius' Action: 1) Add new authentication indicator for service # ipa service-mod --auth-ind=newauth HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: newauth Managed by: client1.testrelm.test 2) Kinit as Radius user and Try to access service #kinit -T KEYRING:persistent:0:0 radiususer Enter OTP Token Value: # kvno HTTP/client1.testrelm.test kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test Expected output: Access to service should not be granted for radiususer. 3) Kinit as OTP user and Try to access same service # kinit -T KEYRING:persistent:0:0 otpuser Enter OTP Token Value: # kvno HTTP/client1.testrelm.test kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test Expected result: Access to service should not be granted for otpuser. =================================================================== Scenario 6: Add authentication indicator with leading space 1)Modify --auth-ind with leading space #ipa service-mod --auth-ind=' otp' HTTP/client1.testrelm.test ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed Expected output:- authentication indicator should not added =================================================================== Scenario 7: Add authentication indicator with trailing space 1) #ipa service-mod --auth-ind='otp ' HTTP/client1.testrelm.test ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed Expected output:- authentication indicator should not added =================================================================== Scenario 8: Try to access host with sufficient authentication Setup User already exists with authentication types 'radius'. Action 1) Modify existing host entry to add radius authentication indicator. # ipa host-mod client1.testrelm.test --auth-ind=radius ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: radius Password: False Keytab: True Managed by: client1.testrelm.test Expected result: Authentication indicator added successfully for existing host. 2) login/kinit as radius user # kinit -T KEYRING:persistent:0:0 tuser02 Enter OTP Token Value: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_aUg7vyl Default principal: tuser02 Valid starting Expires Service principal 2016-08-08T13:54:20 2016-08-09T13:54:15 krbtgt/TESTRELM.TEST 3) try to ssh to host # ssh -l tuser02 client1.testrelm.test Last login: Mon Aug 8 12:52:05 2016 from master73.testrelm.test -sh-4.2$ Expected result: Authentication should be successful. =================================================================== Scenario 9: Create new host entry with specified authentication indicator. Setup Host entry does not exist. Actions 1) Create new host entry with '--auth-ind=otp' or '--auth-ind=radius' option. # ipa host-add --auth-ind=otp Host name: client1.testrelm.test ---------------------------------- Added host "host128.testrelm.test" ---------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test Authentication Indicators: otp Password: False Keytab: False Managed by: client1.testrelm.test Expected results Host entry should be added successful. =================================================================== Scenario 10: Update existing host entry to another authentication indicator Setup Host entry with OTP authentication indicator already exists. Actions 1) Update existing entry with '--auth-ind=radius' option. # ipa host-mod client1.testrelm.test --auth-ind=radius ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: radius Password: False Keytab: False Managed by: client1.testrelm.test Expected result: Authentication indicator added successfully for existing host. =================================================================== Scenario 11: Verify that both authentication indicators can be set for a host Setup Host entry with no authentication indicator already exists. Actions 1) Try to update the host to contain both 'otp' and 'radius' indicators. #ipa host-mod client1.testrelm.test --auth-ind=radius --auth-ind=otp ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: otp, radius Password: False Keytab: True Managed by: client1.testrelm.test Expected results Should be successful. =================================================================== Scenario 12: Remove authentication indicators form hosts Setup Service entry with an authentication indicator already exists. Actions 1) Update existing entry with blank authentication indicator. # ipa host-mod client1.testrelm.test --auth-ind= ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Password: False Keytab: True Managed by: client1.testrelm.test Expected results Removed existing authentication indicator from host successfully. =================================================================== Scenario 13: Access hosts without authentication indicators Setup 1)User already exists with authentication types 'otp', 'radius' and 'password'. 2)Host with no authentication indicators set already exists. Actions 1) Authenticate as a user using any of the authentication types. Login as user with only password # kinit puser Password for puser: 2) Try to ssh to host # ssh -l puser client1.testrelm.test Last login: Mon Aug 8 15:13:42 2016 from master72.testrelm.test -sh-4.2$ logout Expected results Should be successful. 3) Login as user with otp # kinit -T KEYRING:persistent:0:0 puser Enter OTP Token Value: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5 Default principal: puser 4) Try to ssh to host # ssh -l puser client1.testrelm.test Last login: Mon Aug 8 15:17:26 2016 from master72.testrelm.test -sh-4.2$ Expected results Should grant access for all types of authentication. =================================================================== Scenario 14: Try to access host with insufficient authentication Setup 1) User already exists with authentication types 'otp', 'radius' and 'password'. 2) host with authentication indicator 'otp' only already exists. Actions 1) Modify host with authentication indicator 'otp' # ipa host-mod client1.testrelm.test --auth-ind=otp ------------------------------------- Modified host "client1.testrelm.test" ------------------------------------- Host name: client1.testrelm.test Principal name: host/client1.testrelm.test Principal alias: host/client1.testrelm.test SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa), 40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519), 30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256) Authentication Indicators: otp Password: False Keytab: True Managed by: client1.testrelm.test 2) Run kinit as user with password only. # kinit puser Password for puser: # klist Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5 Default principal: puser Valid starting Expires Service principal 2016-08-08T16:27:57 2016-08-09T16:27:50 krbtgt/TESTRELM.TEST 3) Try to access host # ssh -l puser client1.testrelm.test First Factor: Expected results: Should refuse access because of host has authentication indicator 'otp' 4) Enter First Factor and Second Factor # ssh -l puser client1.testrelm.test First Factor: Second Factor (optional): Last login: Mon Aug 8 15:18:11 2016 from master72.testrelm.test -sh-4.2$ Expected results: Access Should be successful with key+token =================================================================== Scenario 15: Add authentication indicator with special characters # ipa service-mod --auth-ind='!@#$%^' HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: !@#$%^ Managed by: client1.testrelm.test Expected output: authentication indicator with special characters should added Scenario 16: Add authentication indicator with capital letters (eg: OTP, RADIUS) Add authentication indicator with upper case # ipa service-mod --auth-ind='OTP' HTTP/client1.testrelm.test ----------------------------------------------------------- Modified service "HTTP/client1.testrelm.test" ----------------------------------------------------------- Principal name: HTTP/client1.testrelm.test Principal alias: HTTP/client1.testrelm.test Authentication Indicators: OTP Managed by: client1.testrelm.test Expected output: Authentication indicator with upper case is added successfully Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |