[Freeipa-users] Re: Making use of ipa-user-mod --auth-user-type=hardened

On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote: > On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote: > > I was wondering what the purpose of 'ipa user-mod > > --auth-user-type=hardened' was. In the web UI the option is > > labelled > > "Hardened Password (by SPAKE or FAST)". > > > > What I found (by setting KRB5_TRACE=/dev/stderr) was that without > > setting this option, kinit already opportunistically uses SPAKE: > > Have you read > https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html > and > https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli... > ? > > They need a bit of update to cover existence of pam_sss_gss.so module > but they give most of details we have so far. As I understand it this allows tickets with the hardened indicator to have a longer lifetime, and for services to be configured to require the presence of an indicator in the service ticket presented by the user. And as you say the pam_sss_gss module can also be configured to require the presence of an indicator before it'll accept the user's ticket. But I don't see the link with ipa user-mod --auth-user-type=hardened... in my case it just seems to make it impossible to log in as the user at all...