Bug 1486286 - IPA failing to authenticate via password+OTP on RHEL7.4 with fips enabled
Summary: IPA failing to authenticate via password+OTP on RHEL7.4 with fips enabled
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1544679
TreeView+ depends on / blocked
 
Reported: 2017-08-29 11:46 UTC by Godfrey
Modified: 2018-04-10 16:47 UTC (History)
16 users (show)

Fixed In Version: ipa-4.5.4-7.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1544679 (view as bug list)
Environment:
Last Closed: 2018-04-10 16:46:13 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1510313 'high' 'CLOSED' 'FreeIPA - Password+OTP does not work in FIPS' 2019-11-18 05:54:21 UTC
Red Hat Product Errata RHBA-2018:0918 None None None 2018-04-10 16:47:24 UTC

Internal Links: 1510313

Description Godfrey 2017-08-29 11:46:22 UTC
Description of problem:

IPA(IdM) installed on RHEL 7.4 with fips mode enabled, fails to authenticate with password+OTP.  In the same setup with fips mode disabled, the password+otp authenticates successfully.

Version-Release number of selected component (if applicable):

RHEL 7.4
Kernel - 3.10.0-693.1.1.el7.x86_64 
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.4 (Maipo)

FIPS  mode enabled
# cat /proc/sys/crypto/fips_enabled 
1

IPA
VERSION: 4.5.0, API_VERSION: 2.228 - ipa-server-4.5.0-21.el7.x86_64

FreeOTP version 1.5 (17)


How reproducible:


Steps to Reproduce:
1. Install RHEL7.4 and enable FIPS mode
2. Add a user and enable two factor authentication
3. Add OTP token from FreeOTP
4. Login with password+otp

Actual results:
Login fails as if wrong credentials supplied.

Expected results:
Successful authentication 

Additional info:

Comment 2 Petr Vobornik 2017-09-22 18:18:30 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7168

Comment 5 Standa Laznicka 2017-11-07 07:53:11 UTC
OTP logins are not possible in FIPS-mode because of the internal use of RADIUS which uses MD5. We should probably still at least prevent allowing user setting the OTP login option when in FIPS, so I'll keep this BZ to do that.

I created a documentation bug: https://bugzilla.redhat.com/show_bug.cgi?id=1510313

Comment 7 Standa Laznicka 2017-11-09 11:23:39 UTC
Fixed upstream
ipa-4-6:
https://pagure.io/freeipa/c/61e7c41bb8e87a9304f422343a1453974e528ce9

Comment 8 Standa Laznicka 2017-11-09 11:28:25 UTC
Thank you for reporting the bug.

We handled this Bugzilla so that a user should not be able to set OTP or RADIUS authentication type when in FIPS mode. This had to be done since OTP and RADIUS authentication on FIPS would require the underlying components to implement new behavior and this implementation would not be trivial.

If you want for OTP and RADIUS authentication to work even on FIPS, please file an RFE.

Comment 10 Raymond Page 2017-12-07 15:07:32 UTC
So instead of fixing the ipa-otpd to use EAP with it's RADIUS responder, they're just patching the installer to disable RADIUS when FIPS mode is enabled? How is that a reasonable bug resolution?

Comment 12 Standa Laznicka 2018-01-02 07:50:47 UTC
Raymond, unfortunately we rely on components that don't have the required functionality. Once again - feel free to file an RFE for OTP and RADIUS authentication to work with FIPS enabled.

Comment 13 Xiyang Dong 2018-01-14 02:32:17 UTC
Verified on ipa-server-4.5.4-7.el7 :
# rpm -qa ipa-server kernel
ipa-server-4.5.4-7.el7.x86_64
kernel-3.10.0-829.el7.x86_64
# cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.5 Beta (Maipo)
# cat /proc/sys/crypto/fips_enabled 
1
# kinit admin
Password for admin@TESTRELM.TEST: 
# ipa user-add tuser --first tuser --last tuser --password
Password: 
Enter Password again to verify: 
------------------
Added user "tuser"
------------------
  User login: tuser
  First name: tuser
  Last name: tuser
  Full name: tuser tuser
  Display name: tuser tuser
  Initials: tt
  Home directory: /home/tuser
  GECOS: tuser tuser
  Login shell: /bin/sh
  Principal name: tuser@TESTRELM.TEST
  Principal alias: tuser@TESTRELM.TEST
  Email address: tuser@testrelm.test
  UID: 1230800001
  GID: 1230800001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True
# ipa user-mod tuser --user-auth-type=otp
ipa: ERROR: OTP and RADIUS authentication in FIPS is not yet supported

Comment 14 Martin Kosek 2018-02-13 09:26:43 UTC
(In reply to Stanislav Laznicka from comment #12)
> Raymond, unfortunately we rely on components that don't have the required
> functionality. Once again - feel free to file an RFE for OTP and RADIUS
> authentication to work with FIPS enabled.

I agree with Raymond that we should have a tracking RFE for this gap. I will file one. At minimum, we need a place where we collect the interest and we have several customer cases attached to this bug already.

Comment 15 amitkuma 2018-02-14 09:05:24 UTC
Though Martin opened new Bugzilla.
But this is update from Customer for ipa-server, ipa-client test-rpms provided by simon on case#02032147.

======(2/13/2018 8:37 AM)Update from Customer=========
I tested the RPMs provided. I had to pull in some packages from the RHEL 7 Beta channel to get the new IPA server to install. I assume that was expected/okay.

After installing the new software I ran ipa-server-upgrade.  The install was done on a server that was installed with FIPS=1 and the updates were applied with FIPS=1. 

Test 1:
 1. On the server with FIPS enabled
 2. Set a user to be Password + OTP
 
I received an error stating that OTP is not supported under FIPS. This was new behavior. 

Test 2.
1. Turn off FIPS
  - Set FIPS=0 in grub in /etc/defaults/grub
  - Regen grub.conf -- /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg
2. Set a user (kresss) to be Password + OTP
  - This worked..no error.
3. Logout of the ipa web page (was logged in as the admin user).
4. Attempt to login as the 2FA enabled user (kresss) on the IPA webpage
  - This does not work. When giving the password + OTP on the webpage I get "The password you entered is incorrect."
  - This is the same behavior that we saw before.

Questions:

Would disabling FIPS and then doing the upgrades make a difference?

What else can I try / what other testing scenarios would you like?


Thanks for all of the help.

Seth.
=====================

Comment 19 errata-xmlrpc 2018-04-10 16:46:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0918


Note You need to log in before you can comment on or make changes to this bug.