passkey cannot fall back to password #7152

abbra · 2024-01-30T04:35:58Z

When both password and passkey user authentication types configured for IPA user, SSSD cannot fall back to password
authentication even when user intends to do so.

....
(2024-01-30  6:22:42): [krb5_child[260541]] [sss_child_krb5_trace_cb] (0x4000): [RID#707] [260541] 1706588562.200418: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-REDHAT-PASSKEY (153), PA-PKINIT-KX (147), PA-SPAKE (151), PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)

(2024-01-30  6:22:42): [krb5_child[260541]] [sss_child_krb5_trace_cb] (0x4000): [RID#707] [260541] 1706588562.200419: Selected etype info: etype aes256-cts, salt "some-salt ", params ""

(2024-01-30  6:22:42): [krb5_child[260541]] [sss_child_krb5_trace_cb] (0x4000): [RID#707] [260541] 1706588562.200420: Received cookie: MIT1\x00\x00\x00\x016\xd3\some-cookie

(2024-01-30  6:22:42): [krb5_child[260541]] [sss_child_krb5_trace_cb] (0x4000): [RID#707] [260541] 1706588562.200421: PKINIT client has no configured identity; giving up

(2024-01-30  6:22:42): [krb5_child[260541]] [sss_krb5_responder] (0x4000): [RID#707] Got question [passkey].
(2024-01-30  6:22:42): [krb5_child[260541]] [k5c_send_data] (0x0200): [RID#707] Received error code 0
(2024-01-30  6:22:42): [krb5_child[260541]] [pack_response_packet] (0x2000): [RID#707] response packet size: [400]
(2024-01-30  6:22:42): [krb5_child[260541]] [k5c_send_data] (0x4000): [RID#707] Response sent.
(2024-01-30  6:22:49): [krb5_child[260541]] [unpack_buffer] (0x1000): [RID#707] total buffer size: [108]
(2024-01-30  6:22:49): [krb5_child[260541]] [unpack_buffer] (0x0100): [RID#707] cmd [241 (auth)] uid [1000] gid [1000] validate [true] enterprise principal [false] offline [false] UPN [user@REALM]
(2024-01-30  6:22:49): [krb5_child[260541]] [unpack_buffer] (0x0100): [RID#707] ccname: [KCM:] old_ccname: [KCM:] keytab: [/etc/krb5.keytab]
(2024-01-30  6:22:49): [krb5_child[260541]] [answer_passkey] (0x0040): [RID#707] Unexpected authentication token type [Password]

The text was updated successfully, but these errors were encountered:

Add support to try the next Preauth type when answering krb5 questions. Fixes an issue when an IPA user has both authtype passkey and authtype password set at the same time. Resolves: SSSD#7152

abbra · 2024-02-29T08:06:28Z

One more issue I observed is that when a password change is requested by the server due to expiration, the change process is correctly initiated by the SSSD but it ends up in not completing against the KDC. As a result, user gets asked to change their password at every authentication attempt. I suspect it is related to the same problem.

Add support to try the next Preauth type when answering krb5 questions. Fixes an issue when an IPA user has both authtype passkey and authtype password set at the same time. Resolves: SSSD#7152

justin-stephenson · 2024-03-04T14:24:43Z

Hi @abbra Would you mind testing https://copr.fedorainfracloud.org/coprs/g/sssd/pr7161/ now? The issues you mention should be resolved.

abbra · 2024-03-04T14:33:34Z

I will do a test, thank you.

Add support to try the next Preauth type when answering krb5 questions. Fixes an issue when an IPA user has both authtype passkey and authtype password set at the same time. Resolves: #7152 Reviewed-by: Alexey Tikhonov <[email protected]> Reviewed-by: Iker Pedrosa <[email protected]> (cherry picked from commit c9a333c)

alexey-tikhonov · 2024-03-06T09:59:22Z

Pushed PR: #7161

master
- 6c1272e - krb5: Add fallback password change support
- c9a333c - krb5: Allow fallback between responder questions
sssd-2-9
- 8d9ae75 - krb5: Add fallback password change support
- 23849f7 - krb5: Allow fallback between responder questions

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: SSSD#7152

Resolves: SSSD#7152

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: SSSD#7152

Resolves: SSSD#7152

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: SSSD#7152

Resolves: SSSD#7152

The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: SSSD#7152

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: SSSD#7152

Resolves: SSSD#7152

The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: SSSD#7152

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>

Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>

The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit bf6cb6d)

Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit 7c33f9d)

Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit e26cc69)

The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit 0d5e8f1)

alexey-tikhonov · 2024-03-21T12:46:07Z

Pushed PR: #7243

master
- 0d5e8f1 - pam_sss: prefer Smartcard authentication
- e26cc69 - krb5: make prompter and pre-auth debug message less irritating
- 7c33f9d - krb5: make sure answer_pkinit() use matching debug messages
- bf6cb6d - krb5: add OTP to krb5 response selection
sssd-2-9
- d06b4a3 - pam_sss: prefer Smartcard authentication
- 87b54bd - krb5: make prompter and pre-auth debug message less irritating
- c3725a1 - krb5: make sure answer_pkinit() use matching debug messages
- 5b9bc0a - krb5: add OTP to krb5 response selection

Add support to try the next Preauth type when answering krb5 questions. Fixes an issue when an IPA user has both authtype passkey and authtype password set at the same time. Resolves: SSSD#7152 (cherry picked from commit 74c673c) (cherry picked from commit 1ddad52462f2cb554e4df63c08c78429f370df2d)

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: SSSD#7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit bf6cb6d) (cherry picked from commit d3a9f0c588633da2f93e313a55ab3ccf7054af44)

Resolves: SSSD#7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit 7c33f9d) (cherry picked from commit bca3c895649546afb755746e01080cee42c8bf77)

Resolves: SSSD#7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit e26cc69) (cherry picked from commit a987acf82067edf90304a315070fbc17e364ee54)

The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: SSSD#7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]> (cherry picked from commit 0d5e8f1) (cherry picked from commit 98a712c1d9d1a1ed758ff1b89d33c3a9ce548522)

alexey-tikhonov added the passkey Issues and PRs related to 'passkey' feature label Jan 30, 2024

alexey-tikhonov mentioned this issue Feb 1, 2024

krb5: Allow fallback between responder questions #7161

Closed

andreboscatto added the Work in Progress label Feb 6, 2024

justin-stephenson self-assigned this Feb 6, 2024

alexey-tikhonov closed this as completed in c9a333c Mar 6, 2024

alexey-tikhonov added the Closed: Fixed Issue was closed as fixed. label Mar 6, 2024

sumit-bose mentioned this issue Mar 14, 2024

krb5: add OTP to krb5 response selection #7243

Closed

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 15, 2024

krb5: make sure answer_pkinit() use matching debug messages

25ac4c1

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 15, 2024

krb5: make prompter and pre-auth debug message less irritating

584b152

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 15, 2024

krb5: make prompter and pre-auth debug message less irritating

c9c4dea

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 18, 2024

krb5: make sure answer_pkinit() use matching debug messages

8093b47

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 18, 2024

krb5: make prompter and pre-auth debug message less irritating

c74a705

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 19, 2024

krb5: make sure answer_pkinit() use matching debug messages

a477b28

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 19, 2024

krb5: make prompter and pre-auth debug message less irritating

14c8f25

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 21, 2024

krb5: make sure answer_pkinit() use matching debug messages

9036a42

Resolves: SSSD#7152

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Mar 21, 2024

krb5: make prompter and pre-auth debug message less irritating

825383b

Resolves: SSSD#7152

alexey-tikhonov pushed a commit that referenced this issue Mar 21, 2024

krb5: make sure answer_pkinit() use matching debug messages

7c33f9d

Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>

alexey-tikhonov pushed a commit that referenced this issue Mar 21, 2024

krb5: make prompter and pre-auth debug message less irritating

e26cc69

Resolves: #7152 Reviewed-by: Alejandro López <[email protected]> Reviewed-by: Justin Stephenson <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

passkey cannot fall back to password #7152

passkey cannot fall back to password #7152

abbra commented Jan 30, 2024

abbra commented Feb 29, 2024

justin-stephenson commented Mar 4, 2024

abbra commented Mar 4, 2024

alexey-tikhonov commented Mar 6, 2024

alexey-tikhonov commented Mar 21, 2024

passkey cannot fall back to password #7152

passkey cannot fall back to password #7152

Comments

abbra commented Jan 30, 2024

abbra commented Feb 29, 2024

justin-stephenson commented Mar 4, 2024

abbra commented Mar 4, 2024

alexey-tikhonov commented Mar 6, 2024

alexey-tikhonov commented Mar 21, 2024