Bug 1224057 - [RFE] TGS authorization decisions in KDC based on Authentication Indicator
Summary: [RFE] TGS authorization decisions in KDC based on Authentication Indicator
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Namita Soman
Marc Muehlfeld
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks: 1368411
TreeView+ depends on / blocked
 
Reported: 2015-05-22 06:37 UTC by Martin Kosek
Modified: 2016-11-04 05:45 UTC (History)
10 users (show)

(edit)
IdM now supports TGS authorization decisions

In an Identity Management (IdM) environment, users can optionally log in using multi-factor authentication. The Kerberos ticket from the ticket granting server (TGS) now contains an indicator if two-factor authentication using a standard password in combination with a one-time password (OTP) was used. This enables the administrator to set server-side policies for resources, and the users are allowed to access based upon the type of their logins. For example, the administrator can now allow the user to log in to the desktop either using one- or two-factor authentication, but require two-factor authentication for virtual private networks (VPN) logins.

By default, all services accept all tickets. To activate this granularity, you have to manage the policies in the IdM web user interface or use the "ipa service-*" and "ipa host-*" commands.
Clone Of:
: 1368411 (view as bug list)
(edit)
Last Closed: 2016-11-04 05:45:46 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC
Red Hat Bugzilla 1298980 None None None Never

Internal Trackers: 1298980

Description Martin Kosek 2015-05-22 06:37:14 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/433

By modifying the DAL ldap driver it would be possible to list the services a user principal is allowed to get a ticket for.
This is possible by implementing the TGS check policy callbacks.

This would allow to better constrain what some principals can actually access over a network (useful for guest accounts, temp workers, contractors, etc...) without having to modify existing applications to add access control.

We could perhaps also tie in decisions on whether delegation should be allowed.

Comment 1 Martin Kosek 2015-05-25 07:00:51 UTC
More authentication indicator information:
http://k5wiki.kerberos.org/wiki/Projects/Authentication_indicator

Comment 2 Petr Vobornik 2016-04-14 14:21:32 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5782

Comment 3 Martin Bašti 2016-05-02 17:17:46 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/8a2afcafee977675fc289acab50cc808b469a2b3

Comment 4 Petr Vobornik 2016-05-17 16:01:40 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5872

Comment 6 Petr Vobornik 2016-06-02 17:03:59 UTC
433 Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/4ded2ffc161ec649ba1ccf8d0b528d24028080df

Comment 7 Petr Vobornik 2016-06-07 17:32:16 UTC
Web UI part -5872 fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/afededacb92ce1903885b265c7adca87b634c21a

Comment 16 Varun Mylaraiah 2016-08-18 10:16:53 UTC
Verified 



Scenario 1: Modify existing service entry to different authentication indicator as user

Setup
Service entry with an authentication indicator already exists.

Action
1) Kinit as normal user
2) Modify existing service entry to different authentication indicator.
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_lm6SFga
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-03T17:54:22  2016-08-04T17:53:53  HTTP/client1.testrelm.test@TESTRELM.TEST
2016-08-03T17:54:10  2016-08-04T17:53:53  krbtgt/TESTRELM.TEST@TESTRELM.TEST

# ipa service-mod --auth-ind= HTTP/client1.testrelm.test@TESTRELM.TEST
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalAuthInd' attribute of entry 'krbprincipalname=http/client1.testrelm.test@testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test'.

Expected result:
Modification should fail because of insufficient access
===================================================================

Scenario 2: Add another authentication indicators for existing service.

Setup
Service entry with an any one authentication indicator already exists.

Action
1) Verify service entry

# kinit admin
Password for admin@TESTRELM.TEST: 

# ipa service-show HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp
  Keytab: True
  Managed by: client1.testrelm.test

2) Modify existing service entry to add another authentication indicator.

# ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp, radius
  Managed by: client1.testrelm.test
  
Expected result:
Authentication indicator added successfully and Both authentication indicator should be exists
===================================================================


Scenario 3: Access service only with otp authentication

Setup :
User already exists with authentication types 'otp', 'radius' and 'password'.

Action
1) Modify existing service entry to add sufficient otp authentication indicator.

# ipa service-mod --auth-ind=otp HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp
  Managed by: client1.testrelm.test

2) kinit user with password only
# kinit tuser01
Password for tuser01@TESTRELM.TEST: 
 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-04T19:29:17  2016-08-05T19:29:14  krbtgt/TESTRELM.TEST@TESTRELM.TEST

3) Try to access service.
# kvno HTTP/client1.testrelm.test
kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test@TESTRELM.TEST

Expected result:
Access to service should not be granted

4) Now kinit user with otp
# kinit -T KEYRING:persistent:0:0 tuser01
Enter OTP Token Value: 

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-04T19:32:11  2016-08-05T19:31:40  krbtgt/TESTRELM.TEST@TESTRELM.TEST

5) Try to access service now.
[root@master72 ~]# kvno HTTP/client1.testrelm.test
HTTP/client1.testrelm.test@TESTRELM.TEST: kvno = 1

Expect output:
Access to service should be granted.

===================================================================

Scenario 4: Add multiple authentication indicator for service and try to access with different authentication types users(otpuser and radiususer)

Setup :
User1(otpuser) already exists with authentication types 'otp'
User2(radiususer) already exists with authentication types 'radius'

Action:
1) Add multiple authentication indicator for service

#ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp, radius
  Managed by: client1.testrelm.test
  
2)  Kinit as Radius user and Try to access service

#kinit -T KEYRING:persistent:0:0 radiususer
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
HTTP/client1.testrelm.test@TESTRELM.TEST: kvno = 1

Expected output: Access to service should be granted for radiususer

3) Kinit as OTP user and Try to access same service

# kinit -T KEYRING:persistent:0:0 otpuser
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
HTTP/client1.testrelm.test@TESTRELM.TEST: kvno = 1

Expected result: Access to service should be granted for otpuser too.


===================================================================

Scenario 5: Add new authentication indicator for service and try to access with OTP and Radius authentication types users

Setup
User1(otpuser) already exists with authentication types 'otp'
User2(radiususer) already exists with authentication types 'radius'

Action:
1) Add new authentication indicator for service

# ipa service-mod --auth-ind=newauth HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: newauth
  Managed by: client1.testrelm.test

2)  Kinit as Radius user and Try to access service

#kinit -T KEYRING:persistent:0:0 radiususer
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test@TESTRELM.TEST

Expected output: Access to service should not be granted for radiususer.


3) Kinit as OTP user and Try to access same service

# kinit -T KEYRING:persistent:0:0 otpuser
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test@TESTRELM.TEST

Expected result: Access to service should not be granted for otpuser.

===================================================================

Scenario 6: Add authentication indicator with leading space
1)Modify --auth-ind with leading space
#ipa service-mod --auth-ind=' otp' HTTP/client1.testrelm.test@TESTRELM.TEST
ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed

Expected output:-
authentication indicator should not added
===================================================================

Scenario 7: Add authentication indicator with trailing space
1) #ipa service-mod --auth-ind='otp ' HTTP/client1.testrelm.test@TESTRELM.TEST
ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed

Expected output:-
authentication indicator should not added
===================================================================

Scenario 8: Try to access host with sufficient authentication
Setup
User already exists with authentication types 'radius'.

Action
1) Modify existing host entry to add radius authentication indicator.

# ipa host-mod client1.testrelm.test --auth-ind=radius
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: radius
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test

Expected result:
Authentication indicator added successfully for existing host.

2) login/kinit as radius user 
# kinit -T KEYRING:persistent:0:0 tuser02
Enter OTP Token Value: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_aUg7vyl
Default principal: tuser02@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-08T13:54:20  2016-08-09T13:54:15  krbtgt/TESTRELM.TEST@TESTRELM.TEST

3) try to ssh to host 
# ssh -l tuser02 client1.testrelm.test
Last login: Mon Aug  8 12:52:05 2016 from master73.testrelm.test
-sh-4.2$ 

Expected result:
Authentication should be successful.
===================================================================


Scenario 9: Create new host entry with specified authentication indicator.
Setup
Host entry does not exist.

Actions
1) Create new host entry with '--auth-ind=otp' or '--auth-ind=radius' option.
# ipa host-add --auth-ind=otp 
Host name: client1.testrelm.test
----------------------------------
Added host "host128.testrelm.test"
----------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp
  Password: False
  Keytab: False
  Managed by: client1.testrelm.test

Expected results
Host entry should be added successful.
===================================================================

Scenario 10: Update existing host entry to another authentication indicator

Setup
Host entry with OTP authentication indicator already exists.

Actions
1) Update existing entry with '--auth-ind=radius' option.

# ipa host-mod client1.testrelm.test --auth-ind=radius
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: radius
  Password: False
  Keytab: False
  Managed by: client1.testrelm.test

Expected result:
Authentication indicator added successfully for existing host.
===================================================================

Scenario 11: Verify that both authentication indicators can be set for a host
Setup
Host entry with no authentication indicator already exists.

Actions
1) Try to update the host to contain both 'otp' and 'radius' indicators.

#ipa host-mod client1.testrelm.test --auth-ind=radius --auth-ind=otp
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: otp, radius
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test


Expected results
Should be successful.
===================================================================


Scenario 12: Remove authentication indicators form hosts
Setup
Service entry with an authentication indicator already exists.

Actions
1) Update existing entry with blank authentication indicator.

# ipa host-mod client1.testrelm.test --auth-ind=
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test

Expected results
Removed existing authentication indicator from host successfully.
===================================================================

Scenario 13: Access hosts without authentication indicators

Setup
1)User already exists with authentication types 'otp', 'radius' and 'password'.
2)Host with no authentication indicators set already exists.

Actions
1) Authenticate as a user using any of the authentication types.
Login as user with only password
# kinit puser
Password for puser@TESTRELM.TEST: 

2) Try to ssh to host
# ssh -l puser client1.testrelm.test
Last login: Mon Aug  8 15:13:42 2016 from master72.testrelm.test
-sh-4.2$ logout


Expected results
Should be successful.

3) Login as user with otp

# kinit -T KEYRING:persistent:0:0 puser
Enter OTP Token Value: 

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5
Default principal: puser@TESTRELM.TEST

4) Try to ssh to host
# ssh -l puser client1.testrelm.test
Last login: Mon Aug  8 15:17:26 2016 from master72.testrelm.test
-sh-4.2$ 

Expected results
Should grant access for all types of authentication.
===================================================================

Scenario 14: Try to access host with insufficient authentication

Setup
1) User already exists with authentication types 'otp', 'radius' and 'password'.
2) host with authentication indicator 'otp' only already exists.

Actions
1) Modify host with authentication indicator 'otp'

# ipa host-mod client1.testrelm.test --auth-ind=otp
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test
  
  
2) Run kinit as user with password only.

# kinit puser
Password for puser@TESTRELM.TEST:

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5
Default principal: puser@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-08T16:27:57  2016-08-09T16:27:50  krbtgt/TESTRELM.TEST@TESTRELM.TEST

3) Try to access host
# ssh -l puser client1.testrelm.test
First Factor: 

Expected results:
Should refuse access because of host has authentication indicator 'otp'

4) Enter First Factor and Second Factor
# ssh -l puser client1.testrelm.test
First Factor: 
Second Factor (optional): 
Last login: Mon Aug  8 15:18:11 2016 from master72.testrelm.test
-sh-4.2$

Expected results:
Access Should be successful with key+token

===================================================================

Scenario 15:
Add authentication indicator with special characters

# ipa service-mod --auth-ind='!@#$%^' HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: !@#$%^
  Managed by: client1.testrelm.test

Expected output:
authentication indicator with special characters should added

Scenario 16:
Add authentication indicator with capital letters (eg: OTP, RADIUS)

Add authentication indicator with upper case

# ipa service-mod --auth-ind='OTP' HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: OTP
  Managed by: client1.testrelm.test

Expected output:
Authentication indicator with upper case is added successfully

Comment 17 Varun Mylaraiah 2016-08-18 10:18:17 UTC
Verified 
ipa-server-4.4.0-8.el7.x86_64

Scenario 1: Modify existing service entry to different authentication indicator as user

Setup
Service entry with an authentication indicator already exists.

Action
1) Kinit as normal user
2) Modify existing service entry to different authentication indicator.
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_lm6SFga
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-03T17:54:22  2016-08-04T17:53:53  HTTP/client1.testrelm.test@TESTRELM.TEST
2016-08-03T17:54:10  2016-08-04T17:53:53  krbtgt/TESTRELM.TEST@TESTRELM.TEST

# ipa service-mod --auth-ind= HTTP/client1.testrelm.test@TESTRELM.TEST
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalAuthInd' attribute of entry 'krbprincipalname=http/client1.testrelm.test@testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test'.

Expected result:
Modification should fail because of insufficient access
===================================================================

Scenario 2: Add another authentication indicators for existing service.

Setup
Service entry with an any one authentication indicator already exists.

Action
1) Verify service entry

# kinit admin
Password for admin@TESTRELM.TEST: 

# ipa service-show HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp
  Keytab: True
  Managed by: client1.testrelm.test

2) Modify existing service entry to add another authentication indicator.

# ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp, radius
  Managed by: client1.testrelm.test
  
Expected result:
Authentication indicator added successfully and Both authentication indicator should be exists
===================================================================


Scenario 3: Access service only with otp authentication

Setup :
User already exists with authentication types 'otp', 'radius' and 'password'.

Action
1) Modify existing service entry to add sufficient otp authentication indicator.

# ipa service-mod --auth-ind=otp HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp
  Managed by: client1.testrelm.test

2) kinit user with password only
# kinit tuser01
Password for tuser01@TESTRELM.TEST: 
 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-04T19:29:17  2016-08-05T19:29:14  krbtgt/TESTRELM.TEST@TESTRELM.TEST

3) Try to access service.
# kvno HTTP/client1.testrelm.test
kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test@TESTRELM.TEST

Expected result:
Access to service should not be granted

4) Now kinit user with otp
# kinit -T KEYRING:persistent:0:0 tuser01
Enter OTP Token Value: 

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-04T19:32:11  2016-08-05T19:31:40  krbtgt/TESTRELM.TEST@TESTRELM.TEST

5) Try to access service now.
[root@master72 ~]# kvno HTTP/client1.testrelm.test
HTTP/client1.testrelm.test@TESTRELM.TEST: kvno = 1

Expect output:
Access to service should be granted.

===================================================================

Scenario 4: Add multiple authentication indicator for service and try to access with different authentication types users(otpuser and radiususer)

Setup :
User1(otpuser) already exists with authentication types 'otp'
User2(radiususer) already exists with authentication types 'radius'

Action:
1) Add multiple authentication indicator for service

#ipa service-mod --auth-ind=otp --auth-ind=radius HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp, radius
  Managed by: client1.testrelm.test
  
2)  Kinit as Radius user and Try to access service

#kinit -T KEYRING:persistent:0:0 radiususer
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
HTTP/client1.testrelm.test@TESTRELM.TEST: kvno = 1

Expected output: Access to service should be granted for radiususer

3) Kinit as OTP user and Try to access same service

# kinit -T KEYRING:persistent:0:0 otpuser
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
HTTP/client1.testrelm.test@TESTRELM.TEST: kvno = 1

Expected result: Access to service should be granted for otpuser too.


===================================================================

Scenario 5: Add new authentication indicator for service and try to access with OTP and Radius authentication types users

Setup
User1(otpuser) already exists with authentication types 'otp'
User2(radiususer) already exists with authentication types 'radius'

Action:
1) Add new authentication indicator for service

# ipa service-mod --auth-ind=newauth HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: newauth
  Managed by: client1.testrelm.test

2)  Kinit as Radius user and Try to access service

#kinit -T KEYRING:persistent:0:0 radiususer
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test@TESTRELM.TEST

Expected output: Access to service should not be granted for radiususer.


3) Kinit as OTP user and Try to access same service

# kinit -T KEYRING:persistent:0:0 otpuser
Enter OTP Token Value: 

# kvno HTTP/client1.testrelm.test
kvno: KDC policy rejects request while getting credentials for HTTP/client1.testrelm.test@TESTRELM.TEST

Expected result: Access to service should not be granted for otpuser.

===================================================================

Scenario 6: Add authentication indicator with leading space
1)Modify --auth-ind with leading space
#ipa service-mod --auth-ind=' otp' HTTP/client1.testrelm.test@TESTRELM.TEST
ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed

Expected output:-
authentication indicator should not added
===================================================================

Scenario 7: Add authentication indicator with trailing space
1) #ipa service-mod --auth-ind='otp ' HTTP/client1.testrelm.test@TESTRELM.TEST
ipa: ERROR: invalid 'auth_ind': Leading and trailing spaces are not allowed

Expected output:-
authentication indicator should not added
===================================================================

Scenario 8: Try to access host with sufficient authentication
Setup
User already exists with authentication types 'radius'.

Action
1) Modify existing host entry to add radius authentication indicator.

# ipa host-mod client1.testrelm.test --auth-ind=radius
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: radius
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test

Expected result:
Authentication indicator added successfully for existing host.

2) login/kinit as radius user 
# kinit -T KEYRING:persistent:0:0 tuser02
Enter OTP Token Value: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_aUg7vyl
Default principal: tuser02@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-08T13:54:20  2016-08-09T13:54:15  krbtgt/TESTRELM.TEST@TESTRELM.TEST

3) try to ssh to host 
# ssh -l tuser02 client1.testrelm.test
Last login: Mon Aug  8 12:52:05 2016 from master73.testrelm.test
-sh-4.2$ 

Expected result:
Authentication should be successful.
===================================================================


Scenario 9: Create new host entry with specified authentication indicator.
Setup
Host entry does not exist.

Actions
1) Create new host entry with '--auth-ind=otp' or '--auth-ind=radius' option.
# ipa host-add --auth-ind=otp 
Host name: client1.testrelm.test
----------------------------------
Added host "host128.testrelm.test"
----------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: otp
  Password: False
  Keytab: False
  Managed by: client1.testrelm.test

Expected results
Host entry should be added successful.
===================================================================

Scenario 10: Update existing host entry to another authentication indicator

Setup
Host entry with OTP authentication indicator already exists.

Actions
1) Update existing entry with '--auth-ind=radius' option.

# ipa host-mod client1.testrelm.test --auth-ind=radius
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: radius
  Password: False
  Keytab: False
  Managed by: client1.testrelm.test

Expected result:
Authentication indicator added successfully for existing host.
===================================================================

Scenario 11: Verify that both authentication indicators can be set for a host
Setup
Host entry with no authentication indicator already exists.

Actions
1) Try to update the host to contain both 'otp' and 'radius' indicators.

#ipa host-mod client1.testrelm.test --auth-ind=radius --auth-ind=otp
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: otp, radius
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test


Expected results
Should be successful.
===================================================================


Scenario 12: Remove authentication indicators form hosts
Setup
Service entry with an authentication indicator already exists.

Actions
1) Update existing entry with blank authentication indicator.

# ipa host-mod client1.testrelm.test --auth-ind=
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test

Expected results
Removed existing authentication indicator from host successfully.
===================================================================

Scenario 13: Access hosts without authentication indicators

Setup
1)User already exists with authentication types 'otp', 'radius' and 'password'.
2)Host with no authentication indicators set already exists.

Actions
1) Authenticate as a user using any of the authentication types.
Login as user with only password
# kinit puser
Password for puser@TESTRELM.TEST: 

2) Try to ssh to host
# ssh -l puser client1.testrelm.test
Last login: Mon Aug  8 15:13:42 2016 from master72.testrelm.test
-sh-4.2$ logout


Expected results
Should be successful.

3) Login as user with otp

# kinit -T KEYRING:persistent:0:0 puser
Enter OTP Token Value: 

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5
Default principal: puser@TESTRELM.TEST

4) Try to ssh to host
# ssh -l puser client1.testrelm.test
Last login: Mon Aug  8 15:17:26 2016 from master72.testrelm.test
-sh-4.2$ 

Expected results
Should grant access for all types of authentication.
===================================================================

Scenario 14: Try to access host with insufficient authentication

Setup
1) User already exists with authentication types 'otp', 'radius' and 'password'.
2) host with authentication indicator 'otp' only already exists.

Actions
1) Modify host with authentication indicator 'otp'

# ipa host-mod client1.testrelm.test --auth-ind=otp
-------------------------------------
Modified host "client1.testrelm.test"
-------------------------------------
  Host name: client1.testrelm.test
  Principal name: host/client1.testrelm.test@TESTRELM.TEST
  Principal alias: host/client1.testrelm.test@TESTRELM.TEST
  SSH public key fingerprint: 45:1E:79:6F:2E:80:65:07:2C:27:BA:FE:99:27:E4:43 (ssh-rsa),
                              40:0D:1D:B7:52:31:CE:86:6B:8A:3A:C9:68:A9:6B:0D (ssh-ed25519),
                              30:44:60:F3:5D:B5:D2:16:4A:4E:6C:FC:AD:31:EF:C0 (ecdsa-sha2-nistp256)
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: client1.testrelm.test
  
  
2) Run kinit as user with password only.

# kinit puser
Password for puser@TESTRELM.TEST:

# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_LVUiIr5
Default principal: puser@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-08T16:27:57  2016-08-09T16:27:50  krbtgt/TESTRELM.TEST@TESTRELM.TEST

3) Try to access host
# ssh -l puser client1.testrelm.test
First Factor: 

Expected results:
Should refuse access because of host has authentication indicator 'otp'

4) Enter First Factor and Second Factor
# ssh -l puser client1.testrelm.test
First Factor: 
Second Factor (optional): 
Last login: Mon Aug  8 15:18:11 2016 from master72.testrelm.test
-sh-4.2$

Expected results:
Access Should be successful with key+token

===================================================================

Scenario 15:
Add authentication indicator with special characters

# ipa service-mod --auth-ind='!@#$%^' HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: !@#$%^
  Managed by: client1.testrelm.test

Expected output:
authentication indicator with special characters should added

Scenario 16:
Add authentication indicator with capital letters (eg: OTP, RADIUS)

Add authentication indicator with upper case

# ipa service-mod --auth-ind='OTP' HTTP/client1.testrelm.test@TESTRELM.TEST
-----------------------------------------------------------
Modified service "HTTP/client1.testrelm.test@TESTRELM.TEST"
-----------------------------------------------------------
  Principal name: HTTP/client1.testrelm.test@TESTRELM.TEST
  Principal alias: HTTP/client1.testrelm.test@TESTRELM.TEST
  Authentication Indicators: OTP
  Managed by: client1.testrelm.test

Expected output:
Authentication indicator with upper case is added successfully

Comment 20 errata-xmlrpc 2016-11-04 05:45:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.