[keycloak-user] Authentication fails for OTP user with kerberos

Jochen Hein jochen at jochen.org
Wed Jan 17 00:16:45 EST 2018 

I'm running FreeIPA and have users with and without OTP.  OTP users
authenticate with RADIUS (Privacyidea manages the tokens). My final goal
is that users with a kerberos ticket can authenticate without password
and users without ticket get asked for password+OTP (when configured).

In FreeIPA a user is defined with password and radius authentication:

$ ipa user-show jochen
  User login: jochen
...
  Kerberos principal: jochen at EXAMPLE.ORG
...
  User authentication types: password, radius

According to the FreeIPA docs LDAP bind works with password only, but
kerberos needs password+OTP. That works fine with sssd and other
applications.

I'm now running keycloak 3.4.2 and played with it.  I've added a User
Federation with LDAP to my FreeIPA server and enabled "Allow Kerberos
Authentication".  After that I can log in with my Kerberos ticket
without further authentication.  If I don't have a Kerberos ticket
keycloak asks me for username and password - authentication works with
LDAP bind as long as "Use Kerberos For Password Authentication" is
disabled.

For a regular (non-OTP) user I can authenticate with a Kerberos ticket.
If the user does not have a Kerberos ticket, he is asked for username
and password as expected, and authentication is successful.

Another user with OTP-authentication in FreeIPA can also authenticate
with his Kerberos ticket.

If the OTP-user does not have a Kerberos ticket, keycloak asks for
username and password (as expected).  If the user federation has "Use
Kerberos for Password Authentication" not selected, the user in
FreeIPA needs to have password+OTP (or password+RADIUS) allowed and
can authenticate against FreeIPA-LDAP with password only - that's not
what I want[1].

When I enable "Use Kerberos For Password Authentication" non-OTP users
can still authenticate, but OTP users can't. According to
https://www.freeipa.org/page/V4/OTP#How_to_Test 
"Kerberos FAST is required for OTP operations." - and that's true.

If I just use kinit I get "Generic preauthentication failure while
getting initial credentials".  The kerberos log has:

Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23}) x.x.x.x: NEEDED_PREAUTH: jochen at EXAMPLE.ORG for krbtgt/JOCHEN.ORG at EXAMPLE.ORG, Additional pre-authentication required
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): preauth (encrypted_timestamp) verify failure: No matching key in entry
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23}) x.x.x.127: PREAUTH_FAILED: jochen at EXAMPLE.ORG for krbtgt/JOCHEN.ORG at EXAMPLE.ORG, Preauthentication failed

debg log fom keycloak:

2017-08-08 21:24:17,473 INFO  [stdout] (default task-1) Debug is  true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2017-08-08 21:24:17,473 INFO  [stdout] (default task-1)                 [Krb5LoginModule] user entered username: jochen at EXAMPLE.ORG
2017-08-08 21:24:17,473 INFO  [stdout] (default task-1) 
2017-08-08 21:24:17,605 INFO  [stdout] (default task-1)                 [Krb5LoginModule] authentication failed 
2017-08-08 21:24:17,605 INFO  [stdout] (default task-1) Pre-authentication information was invalid (24) - PREAUTH_FAILED
2017-08-08 21:24:17,606 WARN  [org.keycloak.events] (default task-1) type=LOGIN_ERROR, realmId=jochen.org, clientId=account, userId=3ebc8518-a488-4dce-bd94-4a72c03a5ed9, ipAddress=192.168.yy.xx, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri=https://saml.jochen.org/auth/realms/jochen.org/account/login-redirect, code_id=eefbcc3e-f581-465c-bc28-7e37fc939ae6, username=jochen at example.org

That look's like there is no FAST implemented, but that or Anonymous PKINIT
seems to be needed for OTP authentication through Kerberos:

https://www.freeipa.org/page/V4/OTP
https://www.freeipa.org/page/V4/Kerberos_PKINIT

On my systems the OTP-user can't kinit directly, but needs to "kinit -n"
first:

$ kinit otpuser
kinit: Pre-authentication failed: invalid argument while getting initial credentials
$ kinit -n
$ klist
Ticket cache: KEYRING:persistent:1004:1004
Default principal: WELLKNOWN/ANONYMOUS at WELLKNOWN:ANONYMOUS

Valid starting       Expires              Service principal
04.11.2017 18:31:20  05.11.2017 18:31:20  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG

$ kinit -T KEYRING:persistent:1004:1004 otpuser
Enter OTP Token Value: 
$ klist
Ticket cache: KEYRING:persistent:1004:krb_ccache_ZKhNrfE
Default principal: otpuser at EXAMPLE.ORG

Valid starting       Expires              Service principal
04.11.2017 18:31:48  05.11.2017 18:31:37  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG

After some research I think that JDK doesn't implement FAST for now and
the tickets/messages I found looked like it will be some time until that
might be implemented (if ever).

Would it be possible to implement that in keycloak?
https://blog-ftweedal.rhcloud.com/2014/07/otp-authentication-in-freeipa/
has some python code that is implementing that for FreeIPA.
I've looked at
https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/main/java/org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.java#L120
but don't see how that might be implemented there...

I've already tried to add two providers to my user federation, LDAP and sssd.
sssd can authentication my otpuser with password+OTP fine. But I couldn't
get authentication with Kerberos ticket to work when I have both providers
active. Is that something that should work? 

Any ideas?

Thanks,
Jochen
[1] password allows authentication to LDAP (no OTP). RADIUS or OTP
authentications against Kerberos, which handles OTP and RADIUS
and needs password+OTP.




-- 
This space is intentionally left blank.

More information about the keycloak-user mailing list