On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
> I was wondering what the purpose of 'ipa user-mod
> --auth-user-type=hardened' was. In the web UI the option is
> labelled
> "Hardened Password (by SPAKE or FAST)".
>
> What I found (by setting KRB5_TRACE=/dev/stderr) was that without
> setting this option, kinit already opportunistically uses SPAKE:
Have you read
https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html
and
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
?
They need a bit of update to cover existence of pam_sss_gss.so module
but they give most of details we have so far.
As I understand it this allows tickets with the hardened indicator to
have a longer lifetime, and for services to be configured to require
the presence of an indicator in the service ticket presented by the
user.
And as you say the pam_sss_gss module can also be configured to require
the presence of an indicator before it'll accept the user's ticket.
But I don't see the link with ipa user-mod --auth-user-type=hardened...
in my case it just seems to make it impossible to log in as the user at
all...
--
Sam Morris <
https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9