Re: [Freeipa-users] Password and OTP auth

2017-05-17 Thread Andrey Dudin 
Hello

If I do  ipa user-mod test --user-auth-type=password --user-auth-type=otp I
have user:

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  User authentication types: otp, password
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True

I can login into ipa-client.mydomain.com to ssh using password+otp token,
but for login to IPA Web UI I also need password+otp. I need just password
for IPA Web UI and password+otp token for ssh on ipa-client.mydomain.com.


[root@ipa-centos]# ipa service-show HTTP/
ipa-centos.mydomain@mydomain.com --raw
  krbcanonicalname: HTTP/ipa-centos.mydomain@mydomain.com
  krbprincipalname: HTTP/ipa-centos.mydomain@mydomain.com
  usercertificate: %cert%
  subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM
  serial_number: 9
  serial_number_hex: 0x9
  issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  valid_not_before: Tue May 16 11:32:36 2017 UTC
  valid_not_after: Fri May 17 11:32:36 2019 UTC
  md5_fingerprint: e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1
  sha1_fingerprint:
de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04
  krbprincipalauthind: password
  has_keytab: TRUE
  managedby: fqdn=ipa-centos.mydomain.com
,cn=computers,cn=accounts,dc=dev,dc=olabs,dc=global

2017-05-17 12:17 GMT+03:00 Sumit Bose <sb...@redhat.com>:

> On Tue, May 16, 2017 at 06:05:06PM +0300, Andrey Dudin wrote:
> > Thanks, but I think I have a problem.
> >
> > I have test user:
> >
> > [root@ipa-centos]# ipa user-show test
> >   User login: test
> >   First name: test
> >   Last name: test
> >   Home directory: /home/test
> >   Login shell: /bin/sh
> >   Principal name: t...@mydomain.com
> >   Principal alias: t...@mydomain.com
> >   Email address: t...@mydomain.com
> >   UID: 15221
> >   GID: 15221
>
> As mentioned in the other thread there should be a listing of user auth
> types here. Please try
>
> ipa user-mod test --user-auth-type=password --user-auth-type=otp
>
> to allow both password and 2-factor/otp authentication.
>
> >   Account disabled: False
> >   Password: True
> >   Member of groups: trust admins, ipausers, admins
> >   Kerberos keys available: True
> >
> >
> > And test host:
> >
> > [root@ipa-centos]# ipa host-show ipa-client.mydomain.com
> >   Host name: ipa-client.mydomain.com
> >   Principal name: host/ipa-client.mydomain@mydomain.com
> >   Principal alias: host/ipa-client.mydomain@mydomain.com
> >   SSH public key fingerprint: %SOME FINGERPRINTS%
> >   Authentication Indicators: otp
> >   Password: False
> >   Keytab: True
> >   Managed by: ipa-client.mydomain.com
> >
> >
> > When I trying to login to ipa-client.mydomain.com with
> password+otptoken I
> > have error:
> >
> > [mynotebook]$ ssh t...@ipa-client.mydomain.com
> > t...@ipa-client.mydomain.com's password:
>
> Please check if ChallengeResponseAuthentication is enabled in
> /etc/ssh/sshd_config on ipa-client.mydomain.com. If not please enable it
> by setting 'ChallengeResponseAuthentication yes'.
> > Permission denied, please try again.
> >
> >
> > Same if I trying to use just password.
> >
> > On ipa server in krb5kdc.log I see:
> >
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> > mydomain@mydomain.com, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
> > mydomain@mydomain.com, Additional pre-authentication required
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
> > ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
> > May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17
> 16
> > 23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime
> 1494946853,
> > t...@mydomain.com for host/ipa-client.mydomain@mydomain.com,
> Required
> >

Re: [Freeipa-users] Spam

2017-05-16 Thread Andrey Dudin 
Me too.  I received a lot of spam messages from Amy Kristen.


ср, 17 мая 2017 г. в 3:16, Vinny Del Signore :

> Hi Andrew,
>
> I just sent my first mail today around 5:30pm EST and have already
> received five spam e-mails from "Amy Kristen". Three of these included nude
> photos. These are the two e-mail addresses used so far. Hoping this stops.
>
>
> -Vin
>
> Amy Kristen 
> Amy Kristen 
>
>
>
>
> *Vin* 
>
> [image: Inactive hide details for Andrew Holway ---05/16/2017 07:54:37
> PM---Whats up with this wierd spam. This is the only list where]Andrew
> Holway ---05/16/2017 07:54:37 PM---Whats up with this wierd spam. This is
> the only list where I see this. --
>
> From: Andrew Holway 
> To: "freeipa-users@redhat.com" 
> Date: 05/16/2017 07:54 PM
> Subject: [Freeipa-users] Spam
> Sent by: freeipa-users-boun...@redhat.com
> --
>
>
>
>
> Whats up with this wierd spam. This is the only list where I see this.--
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
С уважением Дудин Андрей
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Why OTP not working

2017-05-16 Thread Andrey Dudin 
Hello all.

I trying to use OTP auth in Freeipa but have some problems.

I have user *test:*

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True


And his token:

[root@ipa-centos]# ipa otptoken-show 7fa47f65-dc72-486e-8dd4-6393c7e389bd
  Unique ID: 7fa47f65-dc72-486e-8dd4-6393c7e389bd
  Type: TOTP
  Owner: test
  Manager: test


Server with FreeIpa:

[root@ipa-centos]# ipa host-show ipa-centos.mydomain.com
  Host name: ipa-centos.mydomain.com
  Principal name: host/ipa-centos.mydomain@mydomain.com
  Principal alias: host/ipa-centos.mydomain@mydomain.com
  SSH public key fingerprint: %some fingerprints%
  Authentication Indicators: otp
  Password: False
  Member of host-groups: ipaservers
  Keytab: True
  Managed by: ipa-centos.mydomain.com


And service for freeipa http by default:

[root@ipa-centos]# ipa service-show http/ipa-centos.mydomain.com
  Principal name: HTTP/ipa-centos.mydomain@mydomain.com
  Principal alias: HTTP/ipa-centos.mydomain@mydomain.com
  Certificate: %cert%
  Subject: CN=ipa-centos.mydomain.com,O=MYDOMAIN.COM
  Serial Number: 9
  Serial Number (hex): 0x9
  Issuer: CN=Certificate Authority,O=MYDOMAIN.COM
  Not Before: Tue May 16 11:32:36 2017 UTC
  Not After: Fri May 17 11:32:36 2019 UTC
  Fingerprint (MD5): e8:76:3b:a7:94:37:2e:e1:c8:ed:a1:87:38:16:65:e1
  Fingerprint (SHA1):
de:65:18:38:23:5e:8a:0d:49:2c:eb:de:64:0a:61:eb:61:bd:ea:04
  Authentication Indicators: otp
  Keytab: True
  Managed by: ipa-centos.mydomain.com


As u can see, all properties for OTP auth in Freeipa web interface are
applied, but I can login into web interface only using password, if I try
logging in with password+otptoken I have error.

What's wrong?

[root@ipa-centos]# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

[root@ipa-centos]# cat /etc/os-release

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/;
BUG_REPORT_URL="https://bugs.centos.org/;
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Password and OTP auth

2017-05-16 Thread Andrey Dudin 
Thanks, but I think I have a problem.

I have test user:

[root@ipa-centos]# ipa user-show test
  User login: test
  First name: test
  Last name: test
  Home directory: /home/test
  Login shell: /bin/sh
  Principal name: t...@mydomain.com
  Principal alias: t...@mydomain.com
  Email address: t...@mydomain.com
  UID: 15221
  GID: 15221
  Account disabled: False
  Password: True
  Member of groups: trust admins, ipausers, admins
  Kerberos keys available: True


And test host:

[root@ipa-centos]# ipa host-show ipa-client.mydomain.com
  Host name: ipa-client.mydomain.com
  Principal name: host/ipa-client.mydomain@mydomain.com
  Principal alias: host/ipa-client.mydomain@mydomain.com
  SSH public key fingerprint: %SOME FINGERPRINTS%
  Authentication Indicators: otp
  Password: False
  Keytab: True
  Managed by: ipa-client.mydomain.com


When I trying to login to ipa-client.mydomain.com with password+otptoken I
have error:

[mynotebook]$ ssh t...@ipa-client.mydomain.com
t...@ipa-client.mydomain.com's password:
Permission denied, please try again.


Same if I trying to use just password.

On ipa server in krb5kdc.log I see:

May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: NEEDED_PREAUTH: t...@mydomain.com for krbtgt/
mydomain@mydomain.com, Additional pre-authentication required
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): AS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: ISSUE: authtime 1494946853, etypes {rep=18 tkt=18
ses=18}, t...@mydomain.com for krbtgt/mydomain@mydomain.com
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12
May 16 11:00:53 ipa-centos krb5kdc[2280](info): TGS_REQ (6 etypes {18 17 16
23 25 26}) 10.0.1.22: HIGHER_AUTHENTICATION_REQUIRED: authtime 1494946853,
t...@mydomain.com for host/ipa-client.mydomain@mydomain.com, Required
auth indicators not present in ticket: otp
May 16 11:00:53 ipa-centos krb5kdc[2280](info): closing down fd 12

What's wrong?

2017-05-16 17:16 GMT+03:00 Sumit Bose <sb...@redhat.com>:

> On Tue, May 16, 2017 at 04:48:42PM +0300, Andrey Dudin wrote:
> > Hello all.
> >
> > tell me please. Is it possible to use password and otp auth at the one
> > moment?
> >
> > For example I have DEV/STAGE servers and want to be able use password
> auth
> > for ssh, but for PROD servers I want to use OTP auth for same user.
>
> Authentication indicators can be used for this. If you add
>
> ipa host-mod --auth-ind=otp prod.server
>
> Only 2-factor authentication should be possible on prod.server. But
> please note that e.g. ssh-key based authentication will still be
> possible as well.
>
> HTH
>
> bye,
> Sumit
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>



-- 
С уважением Дудин Андрей
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] Password and OTP auth

2017-05-16 Thread Andrey Dudin 
Hello all.

tell me please. Is it possible to use password and otp auth at the one
moment?

For example I have DEV/STAGE servers and want to be able use password auth
for ssh, but for PROD servers I want to use OTP auth for same user.
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project