On Tue, Mar 30, 2021 at 09:30:33AM +0300, Alexander Bokovoy wrote: > > Could you please explain where you want to do it? Noggin (Fedora > Accounts app) does handle the login itself, not FreeIPA. In the context > of what Fedora contributors interact with, FreeIPA is only directly > exposed via Kerberos authentication flow.
Well, I don't know. I am not implementing anything myself. I should leave that to the people who would be implemnting things (the noggin team). > > Noggin can be modified to accept separate password and token values. In > fact, FreeIPA Web UI does have password-based login implemented in this > way -- there are separate password and token value login fields if user > has OTP associated. Yeah, note that we are using IPA / RHEL8. It does not have seperate password and token fields, so I assume this is something coming to IPA soon. :) > Security query/response pairs are something that Noggin would need to > manage on top of FreeIPA as well and thus would handle login with them. > We do not have any mechanism in FreeIPA to allow you to handle this on > behalf of Noggin. ok > For security query/response pairs to be useful in FreeIPA context, > they'd need to be plugged into the main password change flows. There are > currently two major ones and the rest just piggy-backs on either of > them: > > - a password change via LDAP protocol > - a password change via Kerberos protocol > > Our current scheme for resetting forgotten or unknown passwords in > FreeIPA requires administrators to initiate a reset with a temporary > password, pre-set or randomly generated. Then a user changes the > password via one of the two methods above -- either directly or with the > help of one of applications that utilize those, by specifying the > temporary password first and providing a new one afterwards. > > Kerberos password change protocol implements a single request and a > single reply message where the request is initiated by a client and the > server replies with a success or an error, after which the password is > either updated or not. The request sent by the client includes a single > user-data component (part of generic Kerberos KRB_PRIV message as per > RFC4120 section 5.7.1). I don't think this is supported via KDCproxy is it? > > LDAP password change may include and return a control that could be used > to pass through some additional information in both directions with a > bit more flexibility than on the Kerberos side. It still requires that > an LDAP client implements this exchange so Noggin would need to > implement the logic for this too. ok. > If we'd want to add security query/response pairs to allow users to > 'securely' reset their passwords initiated by themselves, this would be > possible with an appropriate extension of an LDAP control and changes to > FreeIPA Web UI and Noggin to support that. The bigger problem is to find > a way to securely store these pairs encrypted per user. Right now the > only per-user secret we have is something generated with the help of its > password but since this is all about being able to reset that password > without knowing its content, we need somewhat different method that > would still be secure against others. In FreeIPA nobody, including > administrators, is able to discover the user's password from a hashed > form. Yeah, this stuff is not at all easy... will talk with the noggin folks and see if we can come up with anything that we might want to persue. Thanks! kevin
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
