On Thu, Apr 01, 2021 at 01:50:40PM +0300, Alexander Bokovoy wrote:
This split of fields in FreeIPA Web UI exists since FreeIPA 4.0 which
was part of early RHEL 7 deliveries (the code for separate OTP field was
added in 2014).
There is nothing specific about it -- Noggin developers simply missed
this part, as well as they missed OTP token sycnhronization
functionality.
Odd. I am looking at our "RED HAT IDENTITY MANAGEMENT" web interface and
it has a Username and a Password field and the Password field has
"Password or Password + One Time Password" in it.
...snip...
It is supported. We don't expose DNS URI record for
_kpasswd.fedoraproject.org but if you'd add 'kpasswd_server' to
/etc/krb5.conf.d/fedoraproject_org with the same value as 'kdc', it will
allow you to change the password:
[934873] 1617273694.628547: Sending DNS URI query for
_kpasswd.FEDORAPROJECT.ORG.
[934873] 1617273694.628548: No URI records found
...
[modify fedoraproject_org snippet]
...
$ cat /etc/krb5.conf.d/fedoraproject_org
[realms]
FEDORAPROJECT.ORG = {
kdc =
https://id.fedoraproject.org/KdcProxy
pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt
kpasswd_server =
https://id.fedoraproject.org/KdcProxy
}
[domain_realm]
.fedoraproject.org =
FEDORAPROJECT.ORG
fedoraproject.org =
FEDORAPROJECT.ORG
$ KRB5_TRACE=/dev/stderr kpasswd abbra(a)FEDORAPROJECT.ORG
...
Enter OTP Token Value: ...
Enter new password: Enter it again: [935146] 1617273825.195267: Creating
authenticator for abbra(a)FEDORAPROJECT.ORG ->
kadmin/changepw(a)FEDORAPROJECT.ORG, seqnum 0, subkey aes256-cts/9584, session
key aes256-cts/4F2B
[935146] 1617273825.195269: Resolving hostname
id.fedoraproject.org
[935146] 1617273825.195270: TLS certificate name matched
"id.fedoraproject.org"
[935146] 1617273825.195271: Sending HTTPS request to https 8.43.85.67:443
[935146] 1617273825.195272: Received answer (236 bytes) from https 8.43.85.67:443
[935146] 1617273825.195273: Terminating TCP connection to https 8.43.85.67:443
[935146] 1617273825.195274: Read AP-REP, time 1617273825.195268, subkey aes256-cts/9584,
seqnum 834862168
Password changed.
Note that in 'kpasswd' and 'kinit' utilities you have to concatenate
password and OTP token value in the same string, unfortunately, because
these utilities don't use prompting facilities available in MIT Kerberos
library. SSSD does use them, so it is possible to change password
through SSSD with separate prompts.
Improving 'kpasswd' and 'kinit' utilities in on my todo list as I'll
need this for other use cases as well.
Cool. I'll investigate if we want to make this case easier.
Thanks for the info!
kevin