Bug 1283521
| Summary: | Users with OTP authentication fail to authenticate | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Kurik <jkurik> |
| Component: | mod_authnz_pam | Assignee: | Jan Pazdziora <jpazdziora> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.2 | CC: | jkurik, jpazdziora, ksiddiqu, lmiksik, mnavrati, spoore |
| Target Milestone: | rc | Keywords: | Regression, ZStream |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | mod_authnz_pam-0.9.3-5.el7_2 | Doc Type: | Bug Fix |
| Doc Text: |
Previously, Web applications did not correctly handle two-factor authentication, a traditional password and a One-Time Password (OTP), when they used the mod_intercept_form_submit Apache module, and also the Pluggable Authentication Module (PAM) supported pre-auth, for example the pam_sss.so module. As a consequence, the authentication failed. With this update, mod_authnz_pam only provides the concatenated password and the OTP input to the first password PAM response. As a result, authentication no longer fails in the described situation.
|
Story Points: | --- |
| Clone Of: | 1279591 | Environment: | |
| Last Closed: | 2015-12-08 10:24:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1279591 | ||
| Bug Blocks: | |||
|
Description
Jan Kurik
2015-11-19 08:26:21 UTC
Used upstream change 6de21466287c3e77850ab1d66f076405971ba4f3 in mod_authnz_pam-0.9.3-5.el7_2. Verified. Version :: mod_authnz_pam-0.9.3-5.el7_2.x86_64 Results :: Using steps from bug #1279591 ################################### # 1. First setup webapp cgi script [root@rhel7-3 www]# URLBASE="https://fedorapeople.org/cgit/adelton/public_git/CGI-sessions.git" [root@rhel7-3 www]# curl -o app.cgi -s "$URLBASE/plain/app.cgi?id=start" [root@rhel7-3 www]# curl -s "$URLBASE/patch/app.cgi?id=trust-REMOTE_USER" | patch -p1 app.cgi patching file app.cgi [root@rhel7-3 www]# curl -s "$URLBASE/patch/app.cgi?id=login2" | patch -p1 app.cgi patching file app.cgi [root@rhel7-3 www]# chmod a+x /var/www/app.cgi [root@rhel7-3 www]# semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi' [root@rhel7-3 www]# restorecon -rvv /var/www/app.cgi restorecon reset /var/www/app.cgi context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_script_exec_t:s0 [root@rhel7-3 www]# setsebool -P allow_httpd_mod_auth_pam 1 ################################### # 2. Setup Apache config pointing to webapp cgi script [root@rhel7-3 www]# cd /etc/httpd/conf.d [root@rhel7-3 conf.d]# cat > app.conf <<EOF > ScriptAlias /application /var/www/app.cgi > LoadModule auth_kerb_module modules/mod_auth_kerb.so > LoadModule authnz_pam_module modules/mod_authnz_pam.so > LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so > > <Location /application/login> > AuthType Kerberos > AuthName "Kerberos Login" > KrbMethodNegotiate On > KrbMethodK5Passwd Off > KrbAuthRealms EXAMPLE.COM > Krb5KeyTab /etc/http.keytab > require pam-account wikiapp > ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>' > </Location> > > <Location /application/login2> > InterceptFormPAMService wikiapp > InterceptFormLogin login > InterceptFormPassword password > </Location> > EOF [root@rhel7-3 conf.d]# kinit admin Password for admin: [root@rhel7-3 conf.d]# ipa-getkeytab -s rhel7-1.example.com -k /etc/http.keytab -p HTTP/$(hostname) Keytab successfully retrieved and stored in: /etc/http.keytab ################################### # 3. Setup pam for webapp [root@rhel7-3 conf.d]# cat > /etc/pam.d/wikiapp <<EOF > auth required pam_sss.so > account required pam_sss.so > EOF ################################### # 4. Add user [root@rhel7-3 conf.d]# ipa user-add testuser --first=f --last=l --password Password: Enter Password again to verify: --------------------- Added user "testuser" --------------------- User login: testuser First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/testuser GECOS: f l Login shell: /bin/sh Kerberos principal: testuser Email address: testuser UID: 373800009 GID: 373800009 Password: True Member of groups: ipausers Kerberos keys available: True [root@rhel7-3 conf.d]# kinit testuser Password for testuser: Password expired. You must change it now. Enter new password: Enter it again: ################################### # 5. add OTP soft token for user [root@rhel7-3 conf.d]# kdestroy -A [root@rhel7-3 conf.d]# kinit testuser Password for testuser: [root@rhel7-3 conf.d]# ipa otptoken-add --type=totp --desc="My token" ------------------ Added OTP token "" ------------------ Unique ID: b90edc4f-1bdb-4e3a-9bb5-ba8757d2700e Type: TOTP Description: My token Owner: testuser Manager: testuser Algorithm: sha1 Digits: 6 Clock interval: 30 URI: otpauth://totp/testuser:b90edc4f-1bdb-4e3a-9bb5-ba8757d2700e?digits=6&secret=DK654DEPRREDDXUW444DJSMSAVUKOHWA&period=30&algorithm=SHA1&issuer=testuser%40EXAMPLE.COM <QR Code removed> ################################### # 6. Now on android, use FreeOTP to scan QR code ################################### # 7. Set User to use OTP Auth [root@rhel7-3 conf.d]# kdestroy -A [root@rhel7-3 conf.d]# kinit admin Password for admin: [root@rhel7-3 conf.d]# ipa user-mod testuser --user-auth-type=otp ------------------------ Modified user "testuser" ------------------------ User login: testuser First name: f Last name: l Home directory: /home/testuser Login shell: /bin/sh Email address: testuser UID: 373800009 GID: 373800009 User authentication types: otp Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True ################################### # 8. Restart httpd [root@rhel7-3 conf.d]# systemctl restart httpd ################################### # 9. Test access. # Use FreeOTP to generate the OTP code to add to end of password in curl command. [root@rhel7-3 conf.d]# curl -d login=testuser -d password=Secret123555116 -si http://$(hostname)/application/login2 | grep "Logged in as" <title>Logged in as testuser</title> <h1>Logged in as testuser</h1> Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2563.html |