Hide Forgot
Description of problem: IPA(IdM) installed on RHEL 7.4 with fips mode enabled, fails to authenticate with password+OTP. In the same setup with fips mode disabled, the password+otp authenticates successfully. Version-Release number of selected component (if applicable): RHEL 7.4 Kernel - 3.10.0-693.1.1.el7.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.4 (Maipo) FIPS mode enabled # cat /proc/sys/crypto/fips_enabled 1 IPA VERSION: 4.5.0, API_VERSION: 2.228 - ipa-server-4.5.0-21.el7.x86_64 FreeOTP version 1.5 (17) How reproducible: Steps to Reproduce: 1. Install RHEL7.4 and enable FIPS mode 2. Add a user and enable two factor authentication 3. Add OTP token from FreeOTP 4. Login with password+otp Actual results: Login fails as if wrong credentials supplied. Expected results: Successful authentication Additional info:
Upstream ticket: https://pagure.io/freeipa/issue/7168
OTP logins are not possible in FIPS-mode because of the internal use of RADIUS which uses MD5. We should probably still at least prevent allowing user setting the OTP login option when in FIPS, so I'll keep this BZ to do that. I created a documentation bug: https://bugzilla.redhat.com/show_bug.cgi?id=1510313
Fixed upstream master: https://pagure.io/freeipa/c/16a952a0a44a0ebee97029ea1d2f6b7593dd2622 ipa-4-5: https://pagure.io/freeipa/c/2364880348f424b4570a7184350dd0009a3bb7a6
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/61e7c41bb8e87a9304f422343a1453974e528ce9
Thank you for reporting the bug. We handled this Bugzilla so that a user should not be able to set OTP or RADIUS authentication type when in FIPS mode. This had to be done since OTP and RADIUS authentication on FIPS would require the underlying components to implement new behavior and this implementation would not be trivial. If you want for OTP and RADIUS authentication to work even on FIPS, please file an RFE.
So instead of fixing the ipa-otpd to use EAP with it's RADIUS responder, they're just patching the installer to disable RADIUS when FIPS mode is enabled? How is that a reasonable bug resolution?
Raymond, unfortunately we rely on components that don't have the required functionality. Once again - feel free to file an RFE for OTP and RADIUS authentication to work with FIPS enabled.
Verified on ipa-server-4.5.4-7.el7 : # rpm -qa ipa-server kernel ipa-server-4.5.4-7.el7.x86_64 kernel-3.10.0-829.el7.x86_64 # cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.5 Beta (Maipo) # cat /proc/sys/crypto/fips_enabled 1 # kinit admin Password for admin@TESTRELM.TEST: # ipa user-add tuser --first tuser --last tuser --password Password: Enter Password again to verify: ------------------ Added user "tuser" ------------------ User login: tuser First name: tuser Last name: tuser Full name: tuser tuser Display name: tuser tuser Initials: tt Home directory: /home/tuser GECOS: tuser tuser Login shell: /bin/sh Principal name: tuser@TESTRELM.TEST Principal alias: tuser@TESTRELM.TEST Email address: tuser@testrelm.test UID: 1230800001 GID: 1230800001 Password: True Member of groups: ipausers Kerberos keys available: True # ipa user-mod tuser --user-auth-type=otp ipa: ERROR: OTP and RADIUS authentication in FIPS is not yet supported
(In reply to Stanislav Laznicka from comment #12) > Raymond, unfortunately we rely on components that don't have the required > functionality. Once again - feel free to file an RFE for OTP and RADIUS > authentication to work with FIPS enabled. I agree with Raymond that we should have a tracking RFE for this gap. I will file one. At minimum, we need a place where we collect the interest and we have several customer cases attached to this bug already.
Though Martin opened new Bugzilla. But this is update from Customer for ipa-server, ipa-client test-rpms provided by simon on case#02032147. ======(2/13/2018 8:37 AM)Update from Customer========= I tested the RPMs provided. I had to pull in some packages from the RHEL 7 Beta channel to get the new IPA server to install. I assume that was expected/okay. After installing the new software I ran ipa-server-upgrade. The install was done on a server that was installed with FIPS=1 and the updates were applied with FIPS=1. Test 1: 1. On the server with FIPS enabled 2. Set a user to be Password + OTP I received an error stating that OTP is not supported under FIPS. This was new behavior. Test 2. 1. Turn off FIPS - Set FIPS=0 in grub in /etc/defaults/grub - Regen grub.conf -- /usr/sbin/grub2-mkconfig -o /boot/grub2/grub.cfg 2. Set a user (kresss) to be Password + OTP - This worked..no error. 3. Logout of the ipa web page (was logged in as the admin user). 4. Attempt to login as the 2FA enabled user (kresss) on the IPA webpage - This does not work. When giving the password + OTP on the webpage I get "The password you entered is incorrect." - This is the same behavior that we saw before. Questions: Would disabling FIPS and then doing the upgrades make a difference? What else can I try / what other testing scenarios would you like? Thanks for all of the help. Seth. =====================
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/52c59982f03936d150b0ac468c8e7df8a12168b5 https://pagure.io/freeipa/c/c7d383c124db7f405d03a4b00f21560c9272557c https://pagure.io/freeipa/c/98efe7cf6a561313b5f7f8a7c2085d81739a4bb4
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0918