[Freeipa-devel] FreeIPA OTP End-to-End

Simo Sorce simo at redhat.com
Mon Dec 23 15:11:27 UTC 2013 

On Mon, 2013-12-23 at 04:54 -0500, Alexander Bokovoy wrote:
> 
> ----- Original Message -----
> > From: "Dmitri Pal" <dpal at redhat.com>
> > To: freeipa-devel at redhat.com
> > Sent: Saturday, December 14, 2013 12:45:28 AM
> > Subject: Re: [Freeipa-devel] FreeIPA OTP End-to-End
> > 
> > On 12/13/2013 03:57 PM, Nathaniel McCallum wrote:
> > > This is an email to track the status of the OTP project as we push
> > > toward completion. I'm also attempting to get all the pieces in play so
> > > that they are testable.
> > >
> > > RPMs
> > > Available here: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/
> > > These currently contain the CLI and UI patches, but exclude the DS
> > > plugin patch. I will merge this last patch in when submitted to the
> > > list.
> > >
> > > OTP CLI
> > > All of the patches are merged except npmccallum-0024, which is
> > > undergoing active review.
> > > https://www.redhat.com/archives/freeipa-devel/2013-December/msg00102.html
> > >
> > > OTP UI
> > > Thanks to Petr Vobornik for his set of patches implementing the UI. They
> > > can be found rebased on top of my otp changes here:
> > > https://github.com/npmccallum/freeipa/commits/otpui
> > >
> > > Authentication methods and RADIUS proxy support seems to be fully
> > > functional and I have not encountered any bugs. I'm not currently able
> > > to get the OTP UI to show up at all (I may well be doing something
> > > wrong).
> > >
> > > I believe Petr plans to clean these up and resubmit them to the list.
> > >
> > > One additional patch will be required for the token sync extop.
> > >
> > > DS PLUGIN
> > > I am nearing completion on the DS plugin providing support for deletion
> > > protection and the token sync extop. This should hit the list next week.
> > >
> > > OTHER
> > > Am I missing anything?
> > 
> > Did you update the wiki page? I think it was one of the outstanding items.
> > Any unit tests?
> > Any way to include some testes for Continues Integration?
> > Anything SELinux related?
> > Default configuration of locations and names of sockets and files?
> > Things like that.
> I've fixed Web UI and have it working now. Patch attached.
> 
> Additionally, there are two AVCs that need to be fixed on Fedora 20:
> 
> type=AVC msg=audit(1387751773.915:1221): avc:  denied  { write } for  pid=3
> 361 comm="krb5kdc" name="DEFAULT.socket" dev="dm-0" ino=276499 scontext=sys
> tem_u:system_r:krb5kdc_t:s0 tcontext=system_u:object_r:krb5kdc_conf_t:s0 tc
> lass=sock_file
> type=AVC msg=audit(1387751773.915:1221): avc:  denied  { connectto } for  p
> id=3361 comm="krb5kdc" path="/var/kerberos/krb5kdc/DEFAULT.socket" scontext
> =system_u:system_r:krb5kdc_t:s0 tcontext=system_u:system_r:init_t:s0 tclass
> =unix_stream_socket
> 
> they are fixed with following rules:
> 
> allow krb5kdc_t init_t:unix_stream_socket connectto;

Shouuldn't systemd assign a different label to the socket instead ?

> allow krb5kdc_t krb5kdc_conf_t:sock_file write;

Is krb5kdc_conf_t actually the right label ? Doesn't look like.

> We need to fix documentation now that the comand set is called otptoken-*,
> also help messages in ipalib/plugins/otptoken.py need update.
> 
> When both password and otp are enabled for the user, only a password authentication is working.
> 
> What does not yet work is end-to-end kinit without armoured ccache. 

Isn't this by design ? We can only trust OTP to send clear text
credentials if you can use FAST and encrypt the channel.

> This also is the case for PAM-based logins through SSSD.

Do you have FAST enabled in SSSD ?

> Armoured ccache works:
> [root at master ~]# kinit -k
> [root at master ~]# klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_vTaHGz9
> Default principal: host/master.ipa.test at IPA.TEST
> 
> Valid starting       Expires              Service principal
> 12/23/2013 11:40:02  12/24/2013 11:40:02  krbtgt/IPA.TEST at IPA.TEST
> [root at master ~]# kinit -T KEYRING:persistent:0:krb_ccache_vTaHGz9 ab at IPA.TEST
> Enter OTP Token Value: 
> [root at master ~]# klist
> Ticket cache: KEYRING:persistent:0:0
> Default principal: ab at IPA.TEST
> 
> Valid starting       Expires              Service principal
> 12/23/2013 11:40:59  12/24/2013 11:40:45  krbtgt/IPA.TEST at IPA.TEST
> 
> What I would like to see is either automated armouring or use of fully anonymous principal for armouring. 

Automated canont be done if you are a regular user unless PKINIT is
configured on the KDC. Unfortunately although I did 90% of the work to
enable pkinit by default years ago, we never merged it in because we
cannot yet generate the required profile to release the certificate to
the KDC.

> We have PKI anchors set by default for all FreeIPA clients already, so making possible to obtain a ticket
> as a WELLKNOWN/ANONYMOUS at REALM principal purely for armouring would be great. 
> 
> Additionally, FreeOTP QR-code capture seems to treat Galaxy S4 mini's camera wrongly,
> I see the viewfinder mirrored -- up is down and left is right. This makes almost impossible
> to focus on the QR code in web UI.

Time to open a bug on https://fedorahosted.org/freeotp :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list