On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
I was wondering what the purpose of 'ipa user-mod
--auth-user-type=hardened' was. In the web UI the option is labelled
"Hardened Password (by SPAKE or FAST)".
What I found (by setting KRB5_TRACE=/dev/stderr) was that without
setting this option, kinit already opportunistically uses SPAKE:
Have you read
https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html
and
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
?
They need a bit of update to cover existence of pam_sss_gss.so module
but they give most of details we have so far.
$ kinit
[..]
[1503880] 1639651033.064871: Received error from KDC: -1765328359/Additional
pre-authentication required
[1503880] 1639651033.064874: Preauthenticating using KDC method data
[1503880] 1639651033.064875: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST
(136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2),
PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1503880] 1639651033.064876: Selected etype info: etype aes256-cts, salt "xxx",
params ""
[1503880] 1639651033.064877: Received cookie: xxx
[1503880] 1639651033.064878: PKINIT client has no configured identity; giving up
[1503880] 1639651033.064879: Preauth module pkinit (147) (info) returned: 0/Success
[1503880] 1639651033.064880: PKINIT client received freshness token from KDC
[1503880] 1639651033.064881: Preauth module pkinit (150) (info) returned: 0/Success
[1503880] 1639651033.064882: PKINIT client has no configured identity; giving up
[1503880] 1639651033.064883: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
[1503880] 1639651033.064884: SPAKE challenge received with group 1, pubkey xxx
Password for user(a)IPA.EXAMPLE.QQ': ^C
[1503880] 1639651047.197022: Preauth module spake (151) (real) returned:
-1765328252/Password read interrupted
kinit: Password read interrupted while getting initial credentials
So far so good.
The client can be forced to do so by setting
'disable_encrypted_timestamp = true' for the realm in krb5.conf. But
krb5.conf(5) remarks, "This flag does not prevent the KDC from offering
encrypted timestamp."
It seems like the 'ipa user-mod --auth-user-type=hardened' might be a
way to enforce the use of SPAKE/FAST on the server side, but once that
is set on a user, the client doesn't seem to use SPAKE, it just gives
up:
$ kinit
[...]
[1504024] 1639651111.830018: Received error from KDC: -1765328359/Additional
pre-authentication required
[1504024] 1639651111.830021: Preauthenticating using KDC method data
[1504024] 1639651111.830022: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST
(136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1504024] 1639651111.830023: Received cookie: xxx
[1504024] 1639651111.830024: PKINIT client has no configured identity; giving up
[1504024] 1639651111.830025: Preauth module pkinit (147) (info) returned: 0/Success
[1504024] 1639651111.830026: PKINIT client received freshness token from KDC
[1504024] 1639651111.830027: Preauth module pkinit (150) (info) returned: 0/Success
[1504024] 1639651111.830028: PKINIT client has no configured identity; giving up
[1504024] 1639651111.830029: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
The 'hardened' option also seems to break FAST:
$ kinit -c /tmp/blah -n && kinit -T /tmp/blah
[...]
[1504775] 1639652353.929814: Using FAST due to armor ccache negotiation result
[1504775] 1639652353.929815: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
-> krbtgt/IPA.EXAMPLE.QQ(a)IPA.EXAMPLE.QQ using ccache FILE:/tmp/blah
[1504775] 1639652353.929816: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krbtgt/IPA.EXAMPLE.QQ(a)IPA.EXAMPLE.QQ from FILE:/tmp/blah with result: 0/Success
[1504775] 1639652353.929817: Armor ccache sesion key: aes256-cts/0286
[1504775] 1639652353.929819: Creating authenticator for
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ(a)IPA.EXAMPLE.QQ ,
seqnum 0, subkey aes256-cts/12F1, session key aes256-cts/0286
[1504775] 1639652353.929821: FAST armor key: aes256-cts/0BB2
[1504775] 1639652353.929823: Sending unauthenticated request
[1504775] 1639652353.929824: Encoding request body and padata into FAST request
[...]
[1504775] 1639652353.929829: Received error from KDC: -1765328359/Additional
pre-authentication required
[1504775] 1639652353.929830: Decoding FAST response
[1504775] 1639652353.929833: Preauthenticating using KDC method data
[1504775] 1639652353.929834: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST
(136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[1504775] 1639652353.929835: Received cookie: MIT
[1504775] 1639652353.929836: PKINIT client has no configured identity; giving up
[1504775] 1639652353.929837: Preauth module pkinit (147) (info) returned: 0/Success
[1504775] 1639652353.929838: PKINIT client received freshness token from KDC
[1504775] 1639652353.929839: Preauth module pkinit (150) (info) returned: 0/Success
[1504775] 1639652353.929840: PKINIT client has no configured identity; giving up
[1504775] 1639652353.929841: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Documentation for the meaning of the hardened setting is a bit thin... can anyone fill me
in?
It should mostly be used as an indicator that something better than
timestamp encryption was used. The idea is not to enforce it on a user
principal but rather to allow applications like pam_sss_gss.so to detect
that a hardened or pkinit preauthentication mechanism were in use in
deciding whether this ticket is 'good enough'.
We need to improve around this area, of course.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland