Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1200873 - [RFE] Allow smart multi step prompting when user logs in with password and token code from IPA
[RFE] Allow smart multi step prompting when user logs in with password and to...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd (Show other bugs)
7.0
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Kaushik Banerjee
Milan Navratil
: FutureFeature
Depends On:
Blocks: 1181710
  Show dependency treegraph
 
Reported: 2015-03-11 10:35 EDT by Martin Kosek
Modified: 2015-11-19 06:36 EST (History)
9 users (show)

See Also:
Fixed In Version: sssd-1.13.0-0.1.alpha.el7
Doc Type: Release Note
Doc Text:
Multi-step prompting for one-time and long-term passwords When using a one-time password (a token) together with a long-term password to log in, the user is prompted for both passwords separately. This results in better user experience when using one-time passwords as well as a safer long-term password extraction, which allows long-term password caching to be used for offline authentication.
Story Points: ---
Clone Of:
: 1249088 (view as bug list)
Environment:
Last Closed: 2015-11-19 06:36:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 05:27:42 EST

  None (edit)
Description Martin Kosek 2015-03-11 10:35:33 EDT 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2335

Right now user is prompted for password and token code in one prompt. It makes it extremely hard to determine which part of the input is user password that can be cached locally for the offline use case and which part is the code. The feature would allow consulting Kerberos to determine how to properly prompt user.
Comment 2 Jakub Hrozek 2015-07-29 08:38:07 EDT 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2729
Comment 3 Jakub Hrozek 2015-07-29 12:45:09 EDT 
Additional fix: b698a04b37ad33e3de5bee82edc6e0e7b5ba2cfe
Comment 4 Namita Soman 2015-09-21 22:36:49 EDT 
Verified using ipa-server-4.2.0-10.el7.x86_64

Added ipa user, assigned otp token, config'd user to auth using otp
Then auth'd this user using two factor auth:
# su - admin
su: warning: cannot change directory to /home/admin: No such file or directory

-bash-4.2$ su - one
First Factor: 
Second Factor: 
Last login: Mon Sep 21 21:57:50 EDT 2015 on pts/0
su: warning: cannot change directory to /home/one: No such file or directory

-sh-4.2$ id
uid=792800001(one) gid=792800001(one) groups=792800001(one) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:792800001:krb_ccache_QTO0sZK
Default principal: one@TESTRELM.TEST

Valid starting       Expires              Service principal
09/21/2015 21:58:44  09/22/2015 21:58:43  krbtgt/TESTRELM.TEST@TESTRELM.TEST

tested user can auth with server offline.
# ipactl stop

-bash-4.2$ su - one
Password: 
Last login: Mon Sep 21 22:16:53 EDT 2015 on pts/0
su: warning: cannot change directory to /home/one: No such file or directory

-sh-4.2$ klist
Ticket cache: KEYRING:persistent:792800001:krb_ccache_QTO0sZK
Default principal: one@TESTRELM.TEST

Valid starting       Expires              Service principal
09/21/2015 21:58:44  09/22/2015 21:58:43  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Verified even though login was at 22:16, old tkt was not refreshed since user is auth'ing offline

# ipactl start

Verified local user can still login as it would normally:
[root@dell-per320-01 ~]# useradd linuxuser1
[root@dell-per320-01 ~]# passwd linuxuser1

[linuxuser1@dell-per320-01 ~]$ su - admin
Password: 
Last login: Mon Sep 21 22:17:17 EDT 2015 on pts/0
su: warning: cannot change directory to /home/admin: No such file or directory

-bash-4.2$ su - linuxuser1
Password: 
Last login: Mon Sep 21 22:23:15 EDT 2015 on pts/0

Was not prompted for two factors
Comment 5 errata-xmlrpc 2015-11-19 06:36:09 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.