[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-devel] FreeIPA OTP End-to-End




----- Original Message -----
> From: "Dmitri Pal" <dpal redhat com>
> To: freeipa-devel redhat com
> Sent: Saturday, December 14, 2013 12:45:28 AM
> Subject: Re: [Freeipa-devel] FreeIPA OTP End-to-End
> 
> On 12/13/2013 03:57 PM, Nathaniel McCallum wrote:
> > This is an email to track the status of the OTP project as we push
> > toward completion. I'm also attempting to get all the pieces in play so
> > that they are testable.
> >
> > RPMs
> > Available here: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
> > These currently contain the CLI and UI patches, but exclude the DS
> > plugin patch. I will merge this last patch in when submitted to the
> > list.
> >
> > OTP CLI
> > All of the patches are merged except npmccallum-0024, which is
> > undergoing active review.
> > https://www.redhat.com/archives/freeipa-devel/2013-December/msg00102.html
> >
> > OTP UI
> > Thanks to Petr Vobornik for his set of patches implementing the UI. They
> > can be found rebased on top of my otp changes here:
> > https://github.com/npmccallum/freeipa/commits/otpui
> >
> > Authentication methods and RADIUS proxy support seems to be fully
> > functional and I have not encountered any bugs. I'm not currently able
> > to get the OTP UI to show up at all (I may well be doing something
> > wrong).
> >
> > I believe Petr plans to clean these up and resubmit them to the list.
> >
> > One additional patch will be required for the token sync extop.
> >
> > DS PLUGIN
> > I am nearing completion on the DS plugin providing support for deletion
> > protection and the token sync extop. This should hit the list next week.
> >
> > OTHER
> > Am I missing anything?
> 
> Did you update the wiki page? I think it was one of the outstanding items.
> Any unit tests?
> Any way to include some testes for Continues Integration?
> Anything SELinux related?
> Default configuration of locations and names of sockets and files?
> Things like that.
I've fixed Web UI and have it working now. Patch attached.

Additionally, there are two AVCs that need to be fixed on Fedora 20:

type=AVC msg=audit(1387751773.915:1221): avc:  denied  { write } for  pid=3
361 comm="krb5kdc" name="DEFAULT.socket" dev="dm-0" ino=276499 scontext=sys
tem_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tc
lass=sock_file
type=AVC msg=audit(1387751773.915:1221): avc:  denied  { connectto } for  p
id=3361 comm="krb5kdc" path="/var/kerberos/krb5kdc/DEFAULT.socket" scontext
=system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass
=unix_stream_socket

they are fixed with following rules:

allow krb5kdc_t init_t:unix_stream_socket connectto;
allow krb5kdc_t krb5kdc_conf_t:sock_file write;

We need to fix documentation now that the comand set is called otptoken-*,
also help messages in ipalib/plugins/otptoken.py need update.

When both password and otp are enabled for the user, only a password authentication is working.

What does not yet work is end-to-end kinit without armoured ccache. 
This also is the case for PAM-based logins through SSSD.

Armoured ccache works:
[root master ~]# kinit -k
[root master ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_vTaHGz9
Default principal: host/master ipa test IPA TEST

Valid starting       Expires              Service principal
12/23/2013 11:40:02  12/24/2013 11:40:02  krbtgt/IPA TEST IPA TEST
[root master ~]# kinit -T KEYRING:persistent:0:krb_ccache_vTaHGz9 ab IPA TEST
Enter OTP Token Value: 
[root master ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ab IPA TEST

Valid starting       Expires              Service principal
12/23/2013 11:40:59  12/24/2013 11:40:45  krbtgt/IPA TEST IPA TEST

What I would like to see is either automated armouring or use of fully anonymous principal for armouring. 
We have PKI anchors set by default for all FreeIPA clients already, so making possible to obtain a ticket
as a WELLKNOWN/ANONYMOUS REALM principal purely for armouring would be great. 

Additionally, FreeOTP QR-code capture seems to treat Galaxy S4 mini's camera wrongly,
I see the viewfinder mirrored -- up is down and left is right. This makes almost impossible
to focus on the QR code in web UI.

-- 
/ Alexander Bokovoy
From cc82cbb2c917467dd3b258e2d959032a408464cc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab samba org>
Date: Mon, 23 Dec 2013 00:30:41 +0200
Subject: [PATCH 16/16] OTP UI: use otptoken handle since the IPA commands are
 otptoken-*

---
 install/ui/src/freeipa/navigation/menu_spec.js |  6 +++---
 install/ui/src/freeipa/otp.js                  | 10 +++++-----
 ipalib/plugins/internal.py                     |  2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index fe57b96..0e206b8 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -57,7 +57,7 @@ var nav = {};
                 },
                 { entity: 'cert', label: '@i18n:tabs.cert' },
                 { entity: 'realmdomains' },
-                { entity: 'otp' }
+                { entity: 'otptoken' }
             ]
         },
         {name: 'policy', label: '@i18n:tabs.policy', children: [
@@ -151,11 +151,11 @@ nav.self_service = {
             label: '@i18n:tabs.identity',
             children: [
                 { entity: 'user' },
-                { entity: 'otp' }
+                { entity: 'otptoken' }
             ]
         }
     ]
 };
 
 return nav;
-});
\ No newline at end of file
+});
diff --git a/install/ui/src/freeipa/otp.js b/install/ui/src/freeipa/otp.js
index a1e1cbd..65509e6 100644
--- a/install/ui/src/freeipa/otp.js
+++ b/install/ui/src/freeipa/otp.js
@@ -35,11 +35,11 @@ define([
  * @class
  * @singleton
  */
-var otp = {};
+var otp = IPA.otptoken = {};
 
 var make_spec = function() {
 return {
-    name: 'otp',
+    name: 'otptoken',
     enable_test: function() {
         return true;
     },
@@ -128,7 +128,7 @@ return {
             sections: [
                 {
                     name: 'details',
-                    label: '@i18n:objects.otp.details',
+                    label: '@i18n:objects.otptoken.details',
                     fields: [
                         'ipatokenuniqueid',
 //                         'type', // always totop
@@ -421,11 +421,11 @@ otp.spec = make_spec();
 otp.register = function() {
     var e = reg.entity;
     var w = reg.widget;
-    e.register({type: 'otp', spec: otp.spec});
+    e.register({type: 'otptoken', spec: otp.spec});
     w.register('qrcode', otp.qr_widget);
 };
 
 phases.on('registration', otp.register);
 
 return otp;
-});
\ No newline at end of file
+});
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index 8135086..6ac5c7f 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -497,7 +497,7 @@ class i18n_messages(Command):
                 "usergroups": _("User Groups"),
                 "users": _("Users"),
             },
-            "otp": {
+            "otptoken": {
                 "details": "OTP Token Settings",
             },
             "permission": {
-- 
1.8.4.2


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]