krb5: add OTP to krb5 response selection #7243

sumit-bose · 2024-03-14T08:26:08Z

Originally where there was only password and OTP authentication we
checked for password authentication and used OTP as a fallback. This was
continued as other (pre)-authentication types were added. But so far
only one authentication type was returned.

This changed recently to allow the user a better selection and as a
result OTP cannot be handled as a fallback anymore but has to be added
to the selection. In case there are no types (questions) available now
password is used as a fallback.

Resolves: #7152

justin-stephenson

Ack, thanks for the patch.

aplopez

LGTM. Thanks.

sumit-bose · 2024-03-20T11:17:24Z

Hi,

sorry for the delay, but I think the patches are now ready for a final round of reviews. The current krb5_child.log for the SSS_PAM_PREAUTH step might look like:

(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056564: Preauthenticating using KDC method data
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056565: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA-SPAKE (151), PA-ENCRYPTED-CHALLENGE (138), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137)
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056566: Selected etype info: etype aes256-sha2, salt "VB&/sB}QMceAUB c", params ""
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056567: Received cookie: MIT1\x00\x00\x00\x01\xefN\xcc\xf4\xcd\x0a\x89k\x0c'*\x10\x8a\x0c\x07\x03\xfb\x1f\xe741\xf6`\xfaTY\xa9E\xfcn5QH~?\x03|\xc2\x00j\xffj\xfc$.\xa4bMc\x83.\xdf\xec\xd9\x06\xbb\x87`-\xf4\x88\x94>\x80\x01\xec\xb6\x02\x88\xba\x9d\xeb2\x0awg\x0b\x008z3V\xa8\x82S\xc8\x0b\x08\xa7:\xea\x93\xed\xa6\x01\xab\xa3!,\xbd=\x04\xd7\x82\xa7]\xa9\xfdy\xbdT\x96\xd6\xb5\x80\xcdn\x0a~\xb6\xb5%\x03\xbbC\x06fL\xd8\xae\x13@9\xaa?\xdaZ{\x07\xd9\x1c\xe5
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056568: PKINIT loading identity PKCS11:module_name=/usr/lib64/pkcs11/libsofthsm2.so:token=SSSD Test Token:certid=C554C9F82C2A9D58B70921C143304153A8A42F17:certlabel=SSSD test cert 0001
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056569: PKINIT opening PKCS#11 module "/usr/lib64/pkcs11/libsofthsm2.so"
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056570: PKINIT PKCS#11 slotid 1647404284 token SSSD Test Token
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_responder] (0x4000): [RID#12] Got question [pkinit].
(2024-03-20 10:46:14): [krb5_child[2260]] [answer_pkinit] (0x4000): [RID#12] [0] Identity [PKCS11:module_name=/usr/lib64/pkcs11/libsofthsm2.so:slotid=1647404284:token=SSSD Test Token] flags [0].
(2024-03-20 10:46:14): [krb5_child[2260]] [answer_pkinit] (0x4000): [RID#12] Setting pkinit_prompting.
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_responder] (0x4000): [RID#12] Got question [otp].
(2024-03-20 10:46:14): [krb5_child[2260]] [answer_otp] (0x4000): [RID#12] [0] Vendor [(null)].
(2024-03-20 10:46:14): [krb5_child[2260]] [answer_otp] (0x4000): [RID#12] [0] Token-ID [(null)].
(2024-03-20 10:46:14): [krb5_child[2260]] [answer_otp] (0x4000): [RID#12] [0] Challenge [(null)].
(2024-03-20 10:46:14): [krb5_child[2260]] [answer_otp] (0x4000): [RID#12] [0] Flags [1].
(2024-03-20 10:46:14): [krb5_child[2260]] [answer_otp] (0x2000): [RID#12] Exit answer_otp during pre-auth.
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_responder] (0x4000): [RID#12] Got question [password].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056571: Preauth module pkinit (147) (info) returned: 0/Success
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056572: PKINIT client received freshness token from KDC
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056573: Preauth module pkinit (150) (info) returned: 0/Success
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056574: PKINIT opening PKCS#11 module "/usr/lib64/pkcs11/libsofthsm2.so"
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056575: PKINIT PKCS#11 slotid 1647404284 token SSSD Test Token
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] Prompt [0][SSSD Test Token                  PIN].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x0200): [RID#12] Prompter interface isn't used for prompting by SSSD.Error [-1765328254/Cannot read password] is expected.
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056576: PKINIT client has no configured identity; giving up
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056577: Preauth module pkinit (16) (real) returned: -1765328254/Cannot read password
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] Prompt [0][Enter OTP Token Value].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x0200): [RID#12] Prompter interface isn't used for prompting by SSSD.Error [-1765328254/Cannot read password] is expected.
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056578: Preauth module otp (141) (real) returned: -1765328254/Cannot read password
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056579: SPAKE challenge received with group 1, pubkey 3271D46DA2D1878FFB951601638A7EFCEFD04F3712F28519F5B991C0880C4C03
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] Prompt [0][Password for [email protected]].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x0200): [RID#12] Prompter interface isn't used for prompting by SSSD.Error [-1765328254/Cannot read password] is expected.
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056580: Preauth module spake (151) (real) returned: -1765328254/Cannot read password
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] sss_krb5_prompter name [(null)] banner [(null)] num_prompts [1].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x4000): [RID#12] Prompt [0][Password for [email protected]].
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_krb5_prompter] (0x0200): [RID#12] Prompter interface isn't used for prompting by SSSD.Error [-1765328254/Cannot read password] is expected.
(2024-03-20 10:46:14): [krb5_child[2260]] [sss_child_krb5_trace_cb] (0x4000): [RID#12] [2260] 1710931574.056581: Preauth module encrypted_challenge (138) (real) returned: -1765328254/Cannot read password
(2024-03-20 10:46:14): [krb5_child[2260]] [get_and_save_tgt] (0x0400): [RID#12] krb5_get_init_creds_password returned [-1765328174] during pre-auth.
(2024-03-20 10:46:14): [krb5_child[2260]] [k5c_send_data] (0x0200): [RID#12] Received error code 0
(2024-03-20 10:46:14): [krb5_child[2260]] [pack_response_packet] (0x2000): [RID#12] response packet size: [31]
(2024-03-20 10:46:14): [krb5_child[2260]] [k5c_send_data] (0x4000): [RID#12] Response sent.
(2024-03-20 10:46:14): [krb5_child[2260]] [main] (0x0400): [RID#12] krb5_child completed successfully

As you can see otp, pkinit and password authentication are available and evaluated. I didn't add passkey or oauth2 because if one of those two methods is detected the related answer-functions will send back the related data immediately without evaluation the other methods. To allow the user a full selection of all available authentication types I think we have to modify the related answer function to prepare the data and set a flag the krb5_child must be kept running and send the data back only after all available methods are evaluated.

Additionally I think the code related to text-based prompting needs some additional work as well to allow proper fallback between the different available methods.

bye,
Sumit

src/providers/krb5/krb5_child.c

aplopez

I just have one remark about a message. ACK otherwise.

src/providers/krb5/krb5_child.c

Originally where there was only password and OTP authentication we checked for password authentication and used OTP as a fallback. This was continued as other (pre)-authentication types were added. But so far only one authentication type was returned. This changed recently to allow the user a better selection and as a result OTP cannot be handled as a fallback anymore but has to be added to the selection. In case there are no types (questions) available now password is used as a fallback. Resolves: SSSD#7152

Resolves: SSSD#7152

The current behavior is that Smartcard authentication is preferred if possible, i.e. if a Smartcard is present. Since the Smartcard (or equivalent) must be inserted manually the assumption is that if the user has inserted it they most probably want to use it for authentication. With the latest patches pam_sss might receive multiple available authentication methods. With this patch the checks for available authentication types start Smartcard authentication to mimic the existing behavior. Resolves: SSSD#7152

justin-stephenson

Ack, thanks for your work on this.

alexey-tikhonov · 2024-03-21T12:46:04Z

Pushed PR: #7243

master
- 0d5e8f1 - pam_sss: prefer Smartcard authentication
- e26cc69 - krb5: make prompter and pre-auth debug message less irritating
- 7c33f9d - krb5: make sure answer_pkinit() use matching debug messages
- bf6cb6d - krb5: add OTP to krb5 response selection
sssd-2-9
- d06b4a3 - pam_sss: prefer Smartcard authentication
- 87b54bd - krb5: make prompter and pre-auth debug message less irritating
- c3725a1 - krb5: make sure answer_pkinit() use matching debug messages
- 5b9bc0a - krb5: add OTP to krb5 response selection

alexey-tikhonov added Waiting for review Bugzilla backport-to-stable labels Mar 14, 2024

alexey-tikhonov requested a review from justin-stephenson March 14, 2024 08:41

justin-stephenson approved these changes Mar 14, 2024

View reviewed changes

justin-stephenson self-assigned this Mar 14, 2024

thalman assigned aplopez Mar 14, 2024

thalman requested a review from aplopez March 14, 2024 13:36

aplopez approved these changes Mar 14, 2024

View reviewed changes

aplopez added Accepted and removed Waiting for review labels Mar 14, 2024

sumit-bose force-pushed the fix_otp branch 4 times, most recently from c74a705 to 14c8f25 Compare March 19, 2024 08:40

alexey-tikhonov requested review from justin-stephenson and aplopez March 20, 2024 11:24

alexey-tikhonov added Waiting for review and removed Accepted labels Mar 20, 2024

justin-stephenson reviewed Mar 20, 2024

View reviewed changes

src/providers/krb5/krb5_child.c Show resolved Hide resolved

justin-stephenson reviewed Mar 20, 2024

View reviewed changes

src/providers/krb5/krb5_child.c Outdated Show resolved Hide resolved

aplopez approved these changes Mar 21, 2024

View reviewed changes

src/providers/krb5/krb5_child.c Outdated Show resolved Hide resolved

sumit-bose added 4 commits March 21, 2024 12:15

krb5: make sure answer_pkinit() use matching debug messages

9036a42

Resolves: SSSD#7152

krb5: make prompter and pre-auth debug message less irritating

825383b

Resolves: SSSD#7152

sumit-bose force-pushed the fix_otp branch from 7f0b66e to 90f9045 Compare March 21, 2024 11:32

justin-stephenson approved these changes Mar 21, 2024

View reviewed changes

alexey-tikhonov removed the Waiting for review label Mar 21, 2024

alexey-tikhonov added Accepted Ready to push Ready to push labels Mar 21, 2024

alexey-tikhonov added Pushed and removed Accepted Ready to push Ready to push labels Mar 21, 2024

alexey-tikhonov closed this Mar 21, 2024

alexey-tikhonov mentioned this pull request Mar 21, 2024

passkey cannot fall back to password #7152

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

krb5: add OTP to krb5 response selection #7243

krb5: add OTP to krb5 response selection #7243

sumit-bose commented Mar 14, 2024

justin-stephenson left a comment

aplopez left a comment

sumit-bose commented Mar 20, 2024

aplopez left a comment

justin-stephenson left a comment

alexey-tikhonov commented Mar 21, 2024

krb5: add OTP to krb5 response selection #7243

krb5: add OTP to krb5 response selection #7243

Conversation

sumit-bose commented Mar 14, 2024

justin-stephenson left a comment

Choose a reason for hiding this comment

aplopez left a comment

Choose a reason for hiding this comment

sumit-bose commented Mar 20, 2024

aplopez left a comment

Choose a reason for hiding this comment

justin-stephenson left a comment

Choose a reason for hiding this comment

alexey-tikhonov commented Mar 21, 2024