1564390 – OTP and Radius Authentication does not work in FIPS mode [rhel-7.5.z]

Bug 1564390 - OTP and Radius Authentication does not work in FIPS mode [rhel-7.5.z]

Summary: OTP and Radius Authentication does not work in FIPS mode [rhel-7.5.z]

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:	https://github.com/freeipa/freeipa/pu...
Whiteboard:
Depends On:	1544679
Blocks:
TreeView+	depends on / blocked

Reported:	2018-04-06 07:13 UTC by Oneata Mircea Teodor
Modified:	2021-03-11 17:18 UTC (History)
CC List:	23 users (show)
Fixed In Version:	ipa-4.5.4-10.el7_5.1
Doc Type:	Bug Fix
Doc Text:	Previously, the one-time password (OTP) logins required APIs that were not available in the FIPS mode. As a consequence, authentication of OTP and RADIUS failed when the user installed Identity Management (IdM) on a machine with FIPS enabled. This update overcomes the described failure by using a different set of APIs for loading the OTP secret. As a result, IdM now supports the OTP and RADIUS authentication on machines with FIPS enabled.
Clone Of:	1544679
Environment:
Last Closed:	2018-05-14 16:11:15 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2018:1395	0	None	None	None	2018-05-14 16:11:38 UTC

Description Oneata Mircea Teodor 2018-04-06 07:13:08 UTC

This bug has been copied from bug #1544679 and has been proposed to be backported to 7.5 z-stream (EUS).

Comment 5 Mohammad Rizwan 2018-04-12 11:54:33 UTC

version:
ipa-server-4.5.4-10.el7_5.1.x86_64

Steps to Reproduce:
1. Install RHEL7.5 and enable FIPS mode
2. Add a user and enable two factor authentication
3. Add OTP token from FreeOTP
4. Login with password+otp

Actual result:
[root@master otp]# cat /proc/sys/crypto/fips_enabled 
1

Login with password+otp success

Expected result:
Login with password+otp success

Comment 6 Mohammad Rizwan 2018-04-12 11:56:25 UTC

Based on comment#5 making bug as verified.

Comment 7 Florence Blanc-Renaud 2018-04-25 08:28:53 UTC

Hi Nathaniel,
could you check/fix the Doc text that I just added? thanks

Comment 8 Nathaniel McCallum 2018-04-25 14:23:46 UTC

I updated the text.

Comment 13 errata-xmlrpc 2018-05-14 16:11:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1395

Note You need to log in before you can comment on or make changes to this bug.

akasurde
davdunc
enewland
frenaud
godfrey.watama
ipa-maint
ipa-qe
ksiddiqu
lmanasko
mkosek
mvarun
myusuf
npmccallum
pasik
pvoborni
rcritten
rharwood
rpage
slaznick
ssekidde
toneata
tscherf
xdong