6:29 a.m.
I was wondering what the purpose of 'ipa user-mod --auth-user-type=hardened' was.
In the web UI the option is labelled "Hardened Password (by SPAKE or FAST)".
What I found (by setting KRB5_TRACE=/dev/stderr) was that without setting this option,
kinit already opportunistically uses SPAKE:
$ kinit
[..]
[1503880] 1639651033.064871: Received error from KDC: -1765328359/Additional
pre-authentication required
[1503880] 1639651033.064874: Preauthenticating using KDC method data
[1503880] 1639651033.064875: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST
(136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENC-TIMESTAMP (2),
PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1503880] 1639651033.064876: Selected etype info: etype aes256-cts, salt "xxx",
params ""
[1503880] 1639651033.064877: Received cookie: xxx
[1503880] 1639651033.064878: PKINIT client has no configured identity; giving up
[1503880] 1639651033.064879: Preauth module pkinit (147) (info) returned: 0/Success
[1503880] 1639651033.064880: PKINIT client received freshness token from KDC
[1503880] 1639651033.064881: Preauth module pkinit (150) (info) returned: 0/Success
[1503880] 1639651033.064882: PKINIT client has no configured identity; giving up
[1503880] 1639651033.064883: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
[1503880] 1639651033.064884: SPAKE challenge received with group 1, pubkey xxx
Password for user(a)IPA.EXAMPLE.QQ': ^C
[1503880] 1639651047.197022: Preauth module spake (151) (real) returned:
-1765328252/Password read interrupted
kinit: Password read interrupted while getting initial credentials
So far so good.
The client can be forced to do so by setting 'disable_encrypted_timestamp = true'
for the realm in krb5.conf. But krb5.conf(5) remarks, "This flag does not prevent the
KDC from offering encrypted timestamp."
It seems like the 'ipa user-mod --auth-user-type=hardened' might be a way to
enforce the use of SPAKE/FAST on the server side, but once that is set on a user, the
client doesn't seem to use SPAKE, it just gives up:
$ kinit
[...]
[1504024] 1639651111.830018: Received error from KDC: -1765328359/Additional
pre-authentication required
[1504024] 1639651111.830021: Preauthenticating using KDC method data
[1504024] 1639651111.830022: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST
(136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133)
[1504024] 1639651111.830023: Received cookie: xxx
[1504024] 1639651111.830024: PKINIT client has no configured identity; giving up
[1504024] 1639651111.830025: Preauth module pkinit (147) (info) returned: 0/Success
[1504024] 1639651111.830026: PKINIT client received freshness token from KDC
[1504024] 1639651111.830027: Preauth module pkinit (150) (info) returned: 0/Success
[1504024] 1639651111.830028: PKINIT client has no configured identity; giving up
[1504024] 1639651111.830029: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
The 'hardened' option also seems to break FAST:
$ kinit -c /tmp/blah -n && kinit -T /tmp/blah
[...]
[1504775] 1639652353.929814: Using FAST due to armor ccache negotiation result
[1504775] 1639652353.929815: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
-> krbtgt/IPA.EXAMPLE.QQ(a)IPA.EXAMPLE.QQ using ccache FILE:/tmp/blah
[1504775] 1639652353.929816: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS ->
krbtgt/IPA.EXAMPLE.QQ(a)IPA.EXAMPLE.QQ from FILE:/tmp/blah with result: 0/Success
[1504775] 1639652353.929817: Armor ccache sesion key: aes256-cts/0286
[1504775] 1639652353.929819: Creating authenticator for
WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/IPA.EXAMPLE.QQ(a)IPA.EXAMPLE.QQ ,
seqnum 0, subkey aes256-cts/12F1, session key aes256-cts/0286
[1504775] 1639652353.929821: FAST armor key: aes256-cts/0BB2
[1504775] 1639652353.929823: Sending unauthenticated request
[1504775] 1639652353.929824: Encoding request body and padata into FAST request
[...]
[1504775] 1639652353.929829: Received error from KDC: -1765328359/Additional
pre-authentication required
[1504775] 1639652353.929830: Decoding FAST response
[1504775] 1639652353.929833: Preauthenticating using KDC method data
[1504775] 1639652353.929834: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST
(136), PA-PKINIT-KX (147), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)
[1504775] 1639652353.929835: Received cookie: MIT
[1504775] 1639652353.929836: PKINIT client has no configured identity; giving up
[1504775] 1639652353.929837: Preauth module pkinit (147) (info) returned: 0/Success
[1504775] 1639652353.929838: PKINIT client received freshness token from KDC
[1504775] 1639652353.929839: Preauth module pkinit (150) (info) returned: 0/Success
[1504775] 1639652353.929840: PKINIT client has no configured identity; giving up
[1504775] 1639652353.929841: Preauth module pkinit (16) (real) returned: 22/Invalid
argument
kinit: Pre-authentication failed: Invalid argument while getting initial credentials
Documentation for the meaning of the hardened setting is a bit thin... can anyone fill me
in?
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9