Bug 1458183
Summary: | Users can delete their last active OTP token | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.3 | CC: | frenaud, ndehadra, npmccallum, pasik, pvoborni, rcritten, tscherf |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.4-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 10:56:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Thorsten Scherf
2017-06-02 08:55:55 UTC
Upstream ticket: https://pagure.io/freeipa/issue/7012 PR in GitHub: https://github.com/freeipa/freeipa/pull/1416 Fixed upstream master: 8b6506a User must not be able to delete his last active otp token c701cd2 389-ds OTP lasttoken plugin: Add unit test ipa-4-6: 55d5f91 User must not be able to delete his last active otp token a47ddde 389-ds OTP lasttoken plugin: Add unit test IPA-server-version: ipa-server-4.6.4-5.el7.x86_64 Verified the bug on the basis of following observations: 1. Verified that when (only one) last OTP Token is active , it cannot be deleted. 2. The only time user can delete the OTP token when the system has more than one OTP-TOKEN. 3. The same behavior is observed when logged in through server UI. message : 'Server is unwilling to perform: Can't delete last active token' Console-Output. ---------------- [root@ibm-x3650m4-01-vm-12 ~]# ipa user-add --first=test --last=user --password User login [tuser]: Password: Enter Password again to verify: ------------------ Added user "tuser" ------------------ User login: tuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/tuser GECOS: test user Login shell: /bin/sh Principal name: tuser Principal alias: tuser User password expiration: 20180816084308Z Email address: tuser UID: 1332000001 GID: 1332000001 Password: True Member of groups: ipausers Kerberos keys available: True [root@ibm-x3650m4-01-vm-12 ~]# kinit tuser Password for tuser: Password expired. You must change it now. Enter new password: Enter it again: [root@ibm-x3650m4-01-vm-12 ~]# kinit admin Password for admin: [root@ibm-x3650m4-01-vm-12 ~]# ipa config-mod --user-auth-type otp Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.test Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.TEST Password Expiration Notification (days): 4 Password plugin features: AllowNThash, KDC:Disable Last Success SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE Default user authentication types: otp IPA masters: ibm-x3650m4-01-vm-12.testrelm.test IPA CA servers: ibm-x3650m4-01-vm-12.testrelm.test IPA NTP servers: ibm-x3650m4-01-vm-12.testrelm.test IPA CA renewal master: ibm-x3650m4-01-vm-12.testrelm.test IPA master capable of PKINIT: ibm-x3650m4-01-vm-12.testrelm.test [root@ibm-x3650m4-01-vm-12 ~]# ipa config-show|grep -i auth Default user authentication types: otp [root@ibm-x3650m4-01-vm-12 ~]# ipa user-find --------------- 2 users matched --------------- User login: admin Last name: Administrator Home directory: /home/admin Login shell: /bin/bash Principal alias: admin UID: 1332000000 GID: 1332000000 Account disabled: False User login: tuser First name: test Last name: user Home directory: /home/tuser Login shell: /bin/sh Principal name: tuser Principal alias: tuser Email address: tuser UID: 1332000001 GID: 1332000001 Account disabled: False ---------------------------- Number of entries returned 2 ---------------------------- [root@ibm-x3650m4-01-vm-12 ~]# ipa user-mod tuser --user-auth-type otp --------------------- Modified user "tuser" --------------------- User login: tuser First name: test Last name: user Home directory: /home/tuser Login shell: /bin/sh Principal name: tuser Principal alias: tuser Email address: tuser UID: 1332000001 GID: 1332000001 User authentication types: otp Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@ibm-x3650m4-01-vm-12 ~]# ipa user-show tuser |grep auth User authentication types: otp [root@ibm-x3650m4-01-vm-12 ~]# Logged in as user: ------------------ Could not chdir to home directory /home/tuser: No such file or directory -sh-4.2$ whoami tuser -sh-4.2$ ipa otptoken-add ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal. ------------------ Added OTP token "" ------------------ Unique ID: 8bc938ca-c482-4ee8-913a-bcf098fe01ef Type: TOTP Owner: tuser Manager: tuser Algorithm: sha1 Digits: 6 Clock interval: 30 URI: otpauth://totp/tuser:8bc938ca-c482-4ee8-913a-bcf098fe01ef?digits=6&secret=AKEZTEPLYQTNNIOBO6J6GIRVL5UXRV5WUXZBK4ELN67ZEXM4O5YUEBTL&period=30&algorithm=SHA1&issuer=tuser%40TESTRELM.TEST -sh-4.2$ ipa otptoken-find ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' ------------------- 1 OTP token matched ------------------- Unique ID: 8bc938ca-c482-4ee8-913a-bcf098fe01ef Type: TOTP Owner: tuser ---------------------------- Number of entries returned 1 ---------------------------- -sh-4.2$ klist Ticket cache: KEYRING:persistent:1332000001:krb_ccache_1fSVlK1 Default principal: tuser Valid starting Expires Service principal 08/16/2018 04:48:45 08/17/2018 04:48:30 HTTP/ibm-x3650m4-01-vm-12.testrelm.test 08/16/2018 04:48:30 08/17/2018 04:48:30 krbtgt/TESTRELM.TEST -sh-4.2$ ipa otptoken-delete 8bc938ca-c482-4ee8-913a-bcf098fe01ef ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' ipa: ERROR: unknown command 'otptoken-delete' -sh-4.2$ ipa otptoken-del 8bc938ca-c482-4ee8-913a-bcf098fe01ef ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' ipa: ERROR: Server is unwilling to perform: Can't delete last active token -sh-4.2$ Logged-in again to add one more token: ---------------------------------------------- Could not chdir to home directory /home/tuser: No such file or directory -sh-4.2$ ipa otptoken-add ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: QR code width is greater than that of the output tty. Please resize your terminal. ------------------ Added OTP token "" ------------------ Unique ID: 669b5994-35e5-4014-b87f-b1d25bd2e4c1 Type: TOTP Owner: tuser Manager: tuser Algorithm: sha1 Digits: 6 Clock interval: 30 URI: otpauth://totp/tuser:669b5994-35e5-4014-b87f-b1d25bd2e4c1?digits=6&secret=OY4RCMSNWWRHNZCD3KBSPWH4BCPKHUXVLCDGFPWO6XWUC4JQGD4RVSXO&period=30&algorithm=SHA1&issuer=tuser%40TESTRELM.TEST (reverse-i-search)`': ^C -sh-4.2$ ipa otptoken-find ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' -------------------- 2 OTP tokens matched -------------------- Unique ID: 669b5994-35e5-4014-b87f-b1d25bd2e4c1 Type: TOTP Owner: tuser Unique ID: 8bc938ca-c482-4ee8-913a-bcf098fe01ef Type: TOTP Owner: tuser ---------------------------- Number of entries returned 2 ---------------------------- -sh-4.2$ ipa otptoken-del 669b5994-35e5-4014-b87f-b1d25bd2e4c1 ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' -------------------------------------------------------- Deleted OTP token "669b5994-35e5-4014-b87f-b1d25bd2e4c1" -------------------------------------------------------- -sh-4.2$ ipa otptoken-find ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' ------------------- 1 OTP token matched ------------------- Unique ID: 8bc938ca-c482-4ee8-913a-bcf098fe01ef Type: TOTP Owner: tuser ---------------------------- Number of entries returned 1 ---------------------------- -sh-4.2$ -sh-4.2$ ipa otptoken-del 8bc938ca-c482-4ee8-913a-bcf098fe01ef ipa: ERROR: Could not create log_dir u'/home/tuser/.ipa/log' ipa: WARNING: Failed to write schema: [Errno 13] Permission denied: '/home/tuser' ipa: WARNING: Failed to write server info: [Errno 13] Permission denied: '/home/tuser' ipa: ERROR: Server is unwilling to perform: Can't delete last active token -sh-4.2$ rpm -q ipa-server ipa-server-4.6.4-5.el7.x86_64 -sh-4.2$ Thus on the basis of above observations, marking the status of bug to 'VERIFIED'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |