Bug 1283521 - Users with OTP authentication fail to authenticate
Users with OTP authentication fail to authenticate
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: mod_authnz_pam (Show other bugs)
7.2
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Jan Pazdziora
Namita Soman
: Regression, ZStream
Depends On: 1279591
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-19 03:26 EST by Jan Kurik
Modified: 2015-12-08 05:24 EST (History)
6 users (show)

See Also:
Fixed In Version: mod_authnz_pam-0.9.3-5.el7_2
Doc Type: Bug Fix
Doc Text:
Previously, Web applications did not correctly handle two-factor authentication, a traditional password and a One-Time Password (OTP), when they used the mod_intercept_form_submit Apache module, and also the Pluggable Authentication Module (PAM) supported pre-auth, for example the pam_sss.so module. As a consequence, the authentication failed. With this update, mod_authnz_pam only provides the concatenated password and the OTP input to the first password PAM response. As a result, authentication no longer fails in the described situation.
Story Points: ---
Clone Of: 1279591
Environment:
Last Closed: 2015-12-08 05:24:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Kurik 2015-11-19 03:26:21 EST
This bug has been copied from bug #1279591 and has been proposed
to be backported to 7.2 z-stream (EUS).
Comment 4 Jan Pazdziora 2015-11-23 12:04:34 EST
Used upstream change 6de21466287c3e77850ab1d66f076405971ba4f3 in mod_authnz_pam-0.9.3-5.el7_2.
Comment 6 Scott Poore 2015-11-25 17:04:12 EST
Verified.

Version ::

mod_authnz_pam-0.9.3-5.el7_2.x86_64

Results ::

Using steps from bug #1279591

###################################
# 1. First setup webapp cgi script

[root@rhel7-3 www]# URLBASE="https://fedorapeople.org/cgit/adelton/public_git/CGI-sessions.git"
[root@rhel7-3 www]# curl -o app.cgi -s "$URLBASE/plain/app.cgi?id=start"

[root@rhel7-3 www]# curl -s "$URLBASE/patch/app.cgi?id=trust-REMOTE_USER" | patch -p1 app.cgi
patching file app.cgi

[root@rhel7-3 www]# curl -s "$URLBASE/patch/app.cgi?id=login2" | patch -p1 app.cgi
patching file app.cgi

[root@rhel7-3 www]# chmod a+x /var/www/app.cgi

[root@rhel7-3 www]# semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'

[root@rhel7-3 www]# restorecon -rvv /var/www/app.cgi
restorecon reset /var/www/app.cgi context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_script_exec_t:s0

[root@rhel7-3 www]# setsebool -P allow_httpd_mod_auth_pam 1

###################################
# 2.  Setup Apache config pointing to webapp cgi script

[root@rhel7-3 www]# cd /etc/httpd/conf.d

[root@rhel7-3 conf.d]# cat > app.conf <<EOF
> ScriptAlias /application /var/www/app.cgi
> LoadModule auth_kerb_module modules/mod_auth_kerb.so
> LoadModule authnz_pam_module modules/mod_authnz_pam.so
> LoadModule intercept_form_submit_module modules/mod_intercept_form_submit.so
> 
> <Location /application/login>
>   AuthType Kerberos
>   AuthName "Kerberos Login"
>   KrbMethodNegotiate On
>   KrbMethodK5Passwd Off
>   KrbAuthRealms EXAMPLE.COM
>   Krb5KeyTab /etc/http.keytab
>   require pam-account wikiapp
>   ErrorDocument 401 '<html><meta http-equiv="refresh" content="0; URL=/application/login2"><body>Kerberos authentication did not pass.</body></html>'
> </Location>
> 
> <Location /application/login2>
>   InterceptFormPAMService wikiapp
>   InterceptFormLogin login
>   InterceptFormPassword password
> </Location>
> EOF

[root@rhel7-3 conf.d]# kinit admin
Password for admin@EXAMPLE.COM: 

[root@rhel7-3 conf.d]# ipa-getkeytab -s rhel7-1.example.com -k /etc/http.keytab -p HTTP/$(hostname)
Keytab successfully retrieved and stored in: /etc/http.keytab


###################################
# 3.  Setup pam for webapp

[root@rhel7-3 conf.d]# cat > /etc/pam.d/wikiapp <<EOF
> auth    required   pam_sss.so
> account required   pam_sss.so
> EOF


###################################
# 4. Add user

[root@rhel7-3 conf.d]# ipa user-add testuser --first=f --last=l --password
Password: 
Enter Password again to verify: 
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: testuser@EXAMPLE.COM
  Email address: testuser@example.com
  UID: 373800009
  GID: 373800009
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
[root@rhel7-3 conf.d]# kinit testuser
Password for testuser@EXAMPLE.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

###################################
# 5.  add OTP soft token for user

[root@rhel7-3 conf.d]# kdestroy -A
[root@rhel7-3 conf.d]# kinit testuser
Password for testuser@EXAMPLE.COM: 
[root@rhel7-3 conf.d]# ipa otptoken-add --type=totp --desc="My token"
------------------
Added OTP token ""
------------------
  Unique ID: b90edc4f-1bdb-4e3a-9bb5-ba8757d2700e
  Type: TOTP
  Description: My token
  Owner: testuser
  Manager: testuser
  Algorithm: sha1
  Digits: 6
  Clock interval: 30
  URI: otpauth://totp/testuser@EXAMPLE.COM:b90edc4f-1bdb-4e3a-9bb5-ba8757d2700e?digits=6&secret=DK654DEPRREDDXUW444DJSMSAVUKOHWA&period=30&algorithm=SHA1&issuer=testuser%40EXAMPLE.COM

<QR Code removed>

###################################
# 6. Now on android, use FreeOTP to scan QR code

###################################
# 7. Set User to use OTP Auth

[root@rhel7-3 conf.d]# kdestroy -A

[root@rhel7-3 conf.d]# kinit admin
Password for admin@EXAMPLE.COM: 

[root@rhel7-3 conf.d]# ipa user-mod testuser --user-auth-type=otp
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Email address: testuser@example.com
  UID: 373800009
  GID: 373800009
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

###################################
# 8. Restart httpd

[root@rhel7-3 conf.d]# systemctl restart httpd


###################################
# 9. Test access.  
# Use FreeOTP to generate the OTP code to add to end of password in curl command.

[root@rhel7-3 conf.d]# curl -d login=testuser -d password=Secret123555116 -si http://$(hostname)/application/login2 | grep "Logged in as"
    <title>Logged in as testuser</title>
    <h1>Logged in as testuser</h1>
Comment 8 errata-xmlrpc 2015-12-08 05:24:05 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2563.html

Note You need to log in before you can comment on or make changes to this bug.