On to, 16 joulu 2021, Sam Morris wrote:
On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote:
> On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
> > I was wondering what the purpose of 'ipa user-mod
> > --auth-user-type=hardened' was. In the web UI the option is
> > labelled
> > "Hardened Password (by SPAKE or FAST)".
> >
> > What I found (by setting KRB5_TRACE=/dev/stderr) was that without
> > setting this option, kinit already opportunistically uses SPAKE:
>
> Have you read
>
https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html
> and
>
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
> ?
>
> They need a bit of update to cover existence of pam_sss_gss.so module
> but they give most of details we have so far.
As I understand it this allows tickets with the hardened indicator to
have a longer lifetime, and for services to be configured to require
the presence of an indicator in the service ticket presented by the
user.
And as you say the pam_sss_gss module can also be configured to require
the presence of an indicator before it'll accept the user's ticket.
But I don't see the link with ipa user-mod --auth-user-type=hardened...
in my case it just seems to make it impossible to log in as the user at
all...
For hardened, I think I found an issue. I need to test that but have no
time right now.. Can you file an upstream ticket, please?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland