Bug 1777564
| Summary: | [RFE] Completion authentication indicator policy support | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexander Bokovoy <abokovoy> |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | Josip Vilicic <jvilicic> |
| Priority: | unspecified | ||
| Version: | 8.2 | CC: | amore, fhanzelk, ksiddiqu, mkosek, pasik, pcech, rcritten, tscherf |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.8.3-1 | Doc Type: | Enhancement |
| Doc Text: |
.Kerberos ticket policy now supports authentication indicators
Authentication indicators are attached to Kerberos tickets based on which pre-authentication mechanism has been used to acquire the ticket:
* `otp` for two-factor authentication (password + OTP)
* `radius` for RADIUS authentication
* `pkinit` for PKINIT, smart card or certificate authentication
* `hardened` for hardened passwords (SPAKE or FAST)
The Kerberos Distribution Center (KDC) can enforce policies such as service access control, maximum ticket lifetime, and maximum renewable age, on the service ticket requests which are based on the authentication indicators.
With this enhancement, administrators can achieve finer control over service ticket issuance by requiring specific authentication indicators from a user's tickets.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-28 15:44:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified using upstream test : ipatests/test_integration/test_krbtpolicy.py Using : ipa-server-4.8.4-2.module+el8.2.0+5265+c70de5c4.x86_64 http://ci-vm-10-0-148-68.hosted.upshift.rdu2.redhat.com/trigger-test-suite/master/1113/trigger/report.html ============================= test session starts ============================== platform linux -- Python 3.6.8, pytest-3.4.2, py-1.5.3, pluggy-0.6.0 -- /usr/libexec/platform-python cachedir: .pytest_cache metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-169.el8.x86_64-x86_64-with-redhat-8.2-Ootpa', 'Packages': {'pytest': '3.4.2', 'py': '1.5.3', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.8.0', 'html': '1.22.1', 'sourceorder': '0.5', 'multihost': '3.0'}} rootdir: /home/cloud-user, inifile: plugins: metadata-1.8.0, html-1.22.1, sourceorder-0.5, multihost-3.0 collecting ... collected 4 items test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_default <- ../../usr/lib/python3.6/site-packages/ipatests/test_integration/test_krbtpolicy.py PASSED [ 25%] test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_hardended <- ../../usr/lib/python3.6/site-packages/ipatests/test_integration/test_krbtpolicy.py PASSED [ 50%] test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_password <- ../../usr/lib/python3.6/site-packages/ipatests/test_integration/test_krbtpolicy.py PASSED [ 75%] test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp <- ../../usr/lib/python3.6/site-packages/ipatests/test_integration/test_krbtpolicy.py FAILED [100%] ---------------- generated xml file: /home/cloud-user/junit.xml ---------------- ----------- generated html file: file:///home/cloud-user/report.html ----------- test_krbtpolicy_otp is failed for AttributeError: module 're' has no attribute 'Pattern' Test is passing manually. Based on this marking bz as verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:1640 *** Bug 1375107 has been marked as a duplicate of this bug. *** |
Complete Authentication Indicator Kerberos ticket policy support by providing IPA CLI options. For the authentication indicators 'otp', 'radius', 'pkinit', and 'hardened', allow specifying maximum ticket life and maximum renewable age in Kerberos ticket policy. The policy extensions are now loaded when a Kerberos principal data is requested by the KDC and evaluated in AS_REQ KDC policy check. If one of the authentication indicators mentioned above is present in the AS_REQ, corresponding policy is applied to the ticket. Related: https://pagure.io/freeipa/issue/8001