Bug 1510313
| Summary: | FreeIPA - Password+OTP does not work in FIPS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Standa Laznicka <slaznick> |
| Component: | doc-Linux_Domain_Identity_Management_Guide | Assignee: | Lucie Vařáková <lmanasko> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.4 | CC: | fhanzelk, lmanasko, mkosek, pvoborni, rhel-docs, rpage, slaznick |
| Target Milestone: | rc | Keywords: | Documentation, EasyFix |
| Target Release: | --- | Flags: | fhanzelk:
needinfo+
lmanasko: needinfo+ |
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-13 07:59:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Standa Laznicka
2017-11-07 07:49:58 UTC
An admonition somewhere in 22.2. One-Time Passwords could fix this. FIPS as such is described in 2.1.2. System Requirements, but I don't think we need to add anything there. Standa, do you think we should also document this as a known issue in the 7.4 Release Notes? It sounds important enough. This is rather a missing feature than an issue. OTP logins would be possible should EAP be implemented for RADIUS auth to get rid of the need for MD5 checksums. Not sure if that makes a difference in documenting it, though. It definitely should be documented, at least in the release notes, as OTP logins work in non-FIPS environments and thus a customer may expect they would work in FIPS, too. Ok, thanks for the explanation! Instead of a known issue, it might make more sense to just add a statement about this to the FIPS release note then. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/new_features_authentication_and_interoperability But the final decision will be on whoever ends up working on this doc bug. This should be considered an issue if IPA FIPS mode is to be considered valuable in environments that require multifactor authentication. I view this as a bug against IPA in RHEL 7.4, and would appreciate a documentation errata in the release notes and a proper bug fix of the RADIUS configuration in the future. There is a new RFE bug 1544679 to cover the missing F2A (password+otp) functionality in FIPS mode. Lucie, we recently hit questions and what can or cannot be done in FIPS mode when investigating Bug 1544679. Based on the experience, I would have additional suggestion on top of what is proposed in the bug: FIPS requirements and expectations are now described within https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/installing-ipa#prerequisites However, I think we should have a separate section on FIPS, stating what does or does not work in FIPS mode (i.e. information from this bug and what is in Prerequisites already), so that government customers can easily find that information out. If this is a separate section, another benefit would be that it appears in the guide Content Highlights. When I search "FIPS" in https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index right now, I get no results. Does that make sense? (In reply to Martin Kosek from comment #13) > ... I think we should have a separate section on FIPS, stating what > does or does not work in FIPS mode (i.e. information from this bug and what > is in Prerequisites already)... Lucie asked to file a separate bug for this change - here it is: Bug 1559484. |