[Freeipa-users] Re: 3rd Party OTP for LDAP and Kerberos

On to, 14 touko 2020, Russ Long via FreeIPA-users wrote: Thing is, it starts working for me immediately when I get the proxy associated with the user. [root@master ~]# ipa user-add foo1bar First name: Foo1 Last name: Bar -------------------- Added user "foo1bar" -------------------- User login: foo1bar First name: Foo1 Last name: Bar Full name: Foo1 Bar Display name: Foo1 Bar Initials: FB Home directory: /home/foo1bar GECOS: Foo1 Bar Login shell: /bin/sh Principal name: foo1bar(a)IPA.TEST Principal alias: foo1bar(a)IPA.TEST Email address: foo1bar(a)ipa.test UID: 1908200007 GID: 1908200007 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa user-mod foo1bar --radius duo ----------------------- Modified user "foo1bar" ----------------------- User login: foo1bar First name: Foo1 Last name: Bar Home directory: /home/foo1bar Login shell: /bin/sh Principal name: foo1bar(a)IPA.TEST Principal alias: foo1bar(a)IPA.TEST Email address: foo1bar(a)ipa.test UID: 1908200007 GID: 1908200007 RADIUS proxy configuration: duo Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# kinit -k [root@master ~]# KRB5_TRACE=/dev/stderr kinit -T KCM:0 foo1bar [190332] 1589466311.590529: Resolving unique ccache of type KCM [190332] 1589466311.590530: Getting initial credentials for foo1bar(a)IPA.TEST [190332] 1589466311.590531: FAST armor ccache: KCM:0 [190332] 1589466311.590532: Retrieving host/master.ipa.test(a)IPA.TEST -> krb5_ccache_conf_data/fast_avail/krbtgt\/IPA.TEST\@IPA.TEST(a)X-CACHECONF: from KCM:0 with result: 0/Success [190332] 1589466311.590533: Read config in KCM:0 for krbtgt/IPA.TEST(a)IPA.TEST: fast_avail: yes [190332] 1589466311.590534: Using FAST due to armor ccache negotiation result [190332] 1589466311.590535: Getting credentials host/master.ipa.test(a)IPA.TEST -> krbtgt/IPA.TEST(a)IPA.TEST using ccache KCM:0 [190332] 1589466311.590536: Retrieving host/master.ipa.test(a)IPA.TEST -> krbtgt/IPA.TEST(a)IPA.TEST from KCM:0 with result: 0/Success [190332] 1589466311.590537: Armor ccache sesion key: aes256-cts/3E96 [190332] 1589466311.590539: Creating authenticator for host/master.ipa.test(a)IPA.TEST -> krbtgt/IPA.TEST(a)IPA.TEST, seqnum 0, subkey aes256-cts/86B1, session key aes256-cts/3E96 [190332] 1589466311.590541: FAST armor key: aes256-cts/1B67 [190332] 1589466311.590543: Sending unauthenticated request [190332] 1589466311.590544: Encoding request body and padata into FAST request [190332] 1589466311.590545: Sending request (1681 bytes) to IPA.TEST [190332] 1589466311.590546: Initiating TCP connection to stream 1.2.3.4:88 [190332] 1589466311.590547: Sending TCP request to stream 1.2.3.4:88 [190332] 1589466311.590548: Received answer (553 bytes) from stream 1.2.3.4:88 [190332] 1589466311.590549: Terminating TCP connection to stream 1.2.3.4:88 [190332] 1589466311.590550: Response was from master KDC [190332] 1589466311.590551: Received error from KDC: -1765328359/Additional pre-authentication required [190332] 1589466311.590552: Decoding FAST response [190332] 1589466311.590555: Preauthenticating using KDC method data [190332] 1589466311.590556: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137) [190332] 1589466311.590557: Received cookie: MIT [190332] 1589466311.590558: PKINIT client has no configured identity; giving up [190332] 1589466311.590559: Preauth module pkinit (147) (info) returned: 0/Success [190332] 1589466311.590560: PKINIT client received freshness token from KDC [190332] 1589466311.590561: Preauth module pkinit (150) (info) returned: 0/Success [190332] 1589466311.590562: PKINIT client has no configured identity; giving up [190332] 1589466311.590563: Preauth module pkinit (16) (real) returned: 22/Invalid argument Enter OTP Token Value: [some value] [190351] 1589466397.815380: Preauth module otp (141) (real) returned: 0/Success [190351] 1589466397.815381: Produced preauth for next request: PA-FX-COOKIE (133), PA-OTP-REQUEST (142) [190351] 1589466397.815382: Encoding request body and padata into FAST request [190351] 1589466397.815383: Sending request (1817 bytes) to IPA.TEST [190351] 1589466397.815384: Initiating TCP connection to stream 1.2.3.4:88 [190351] 1589466397.815385: Sending TCP request to stream 1.2.3.4:88 [190351] 1589466402.829711: Received answer (553 bytes) from stream 1.2.3.4:88 [190351] 1589466402.829712: Terminating TCP connection to stream 1.2.3.4:88 [190351] 1589466402.829713: Response was from master KDC ... At this point I can see on the KDC in journal: May 14 14:26:37 master.ipa.test systemd[1]: Started ipa-otpd service (PID 188682/UID 0). May 14 14:26:37 master.ipa.test ipa-otpd[190353]: LDAP: ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: request received May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: user query start May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: user query end: uid=foo1bar,cn=users,cn=accounts,dc=ipa,dc=test May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: radius query start: cn=duo,cn=radiusproxy,dc=ipa,dc=test May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: radius query end: 192.168.1.123 May 14 14:26:37 master.ipa.test ipa-otpd[190353]: foo1bar(a)IPA.TEST: forward start: foo1bar / 192.168.1.123 I don't have actual RADIUS proxy myself so ipa-otpd will timeout trying to contact non-existing server, but as you can see the request comes through. You do need to use FAST channel wrapping when testing with 'kinit' because that's required for OTP communication (thus -T option to kinit). SSSD would handle this for you automatically: [root@master ~]# ssh -l foo1bar `hostname` foo1bar(a)master.ipa.test's password: ... will lead to the same request processing on ipa-otpd side: May 14 14:30:04 master.ipa.test ipa-otpd[190404]: LDAP: ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: request received May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: user query start May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: user query end: uid=foo1bar,cn=users,cn=accounts,dc=ipa,dc=test May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: radius query start: cn=duo,cn=radiusproxy,dc=ipa,dc=test May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: radius query end: 192.168.1.123 May 14 14:30:04 master.ipa.test ipa-otpd[190404]: foo1bar(a)IPA.TEST: forward start: foo1bar / 192.168.1.123 -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland