[keycloak-user] Authentication failed: org.jvnet.libpam.PAMException

mizuki mizuki0621 at gmail.com
Tue Mar 19 15:55:47 EDT 2019


Hi Bruno Et al,

If possible, please advise the next approach, to me it seems like a bug.

As a workaround, it is possible to enable OTP embedded with keycloak, we
the preferred way is to have QR code stored in the central database such as
IPA, so we can extend the features to other services ideaily (enabled OTP
on gateway for example).

Another question is, if it's possible to separate the Password & OTP for
users to type in instead of combining them in one input box.  SSH login
separates them as 'First Factor' and 'Second Factor' to allow you type in
separately which is nice. The OTP coming with Keyclak does the same
things,  Password and OTP are separate input boxes, ease to reduce the
possible mistakes. Especially when OTP is time based, it would be very much
a hassle for users to type in Password and OTP all at once in one box.

Please advice & thanks so much!
Mizuki

On Thu, Mar 14, 2019 at 8:37 PM mizuki <mizuki0621 at gmail.com> wrote:

> See pamtester went successful with both cases (whether both OTP and
> password enabled or OTP only)
>
> Case 1: Both Password and OTP are enabled:
>
> *[root at mktst1 ~]# pamtester keycloak mmstestu authenticate*
> First Factor:
> Second Factor (optional):
> pamtester: successfully authenticated
>
> Case 2: Enabled OTP only:
> *[root at mktst1 ~]# pamtester Keycloak mmstestu authenticate*
> First Factor:
> Second Factor:
> pamtester: successfully authenticated
>
> Note
> Thanks.
>
> On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> What is the output from pamtester?
>>
>> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:
>>
>>> Thanks for the response, Bruno.
>>>
>>> I certainly went through the documents and examed configurations
>>> carefully. I attached KRB log from IPA server as well as /var/log/secure
>>> from Keycloak server as supporting evidences (high lighted with blue for
>>> important portions).
>>>
>>> In the case when both 'password' and 'otp' are enabled to the user in
>>> IPA, Keycloak failed to authenticate user with either the password or otp.
>>>
>>> [root at idm01 ~]# ipa user-show mmstestu
>>>   User login: mmstestu
>>>   First name: Test
>>>   Last name: 55555
>>>   Home directory: /u0b/mmstestu
>>>   Login shell: /bin/bash
>>>   Principal name: mmstestu at SDCC.BNL.GOV
>>>   Principal alias: mmstestu at SDCC.BNL.GOV
>>>   Kerberos principal expiration: 20690301145828Z
>>>   Email address: smithj4 at example.com
>>>   UID: 7041
>>>   GID: 9965
>>>   SSH public key fingerprint:
>>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>>>   User authentication types: otp, password
>>>   Account disabled: False
>>>   Password: True
>>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>>>   Member of HBAC rule: mktst1
>>>   Kerberos keys available: True
>>>
>>> Krb log on IPA server shows following:
>>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
>>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Additional
>>> pre-authentication required
>>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
>>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV, Incorrect
>>> password in encrypted challenge
>>>
>>> /var/log/secure log on KeyCloak server:
>>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
>>> user=mmstestu
>>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>>> received for user mmstestu: 17 (Failure setting user credentials)
>>>
>>> In ../log/server.log on KeyCloak server:
>>> 2019-03-14 16:24:36,844 ERROR
>>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
>>> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>>> failed : Permission denied
>>>     at org.jvnet.libpam.PAM.check(PAM.java:113)
>>>     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>>>     at
>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>>>     at
>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>>>     at
>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>>>     at
>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>>>     at
>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>>>     at
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>>>     at
>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>>>     at
>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>>>     at
>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>     at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
>>>     at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>>>     at java.lang.reflect.Method.invoke(Method.java:508)
>>>     at
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
>>> Source)
>>>     at
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>>     at
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>>     at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>>     at
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
>>> Source)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
>>> Source)
>>>     at
>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>>     at
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>     at
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>>     at
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>>     at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>     at
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>     at
>>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>     at
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>     at
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>     at
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>     at
>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>>     at
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>     at
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>>     at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>     at
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>     at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>     at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>     at
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>     at
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>>     at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>>     at
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>     at
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>>     at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>>     at
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>     at
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
>>> Source)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>     at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>>     at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>>     at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>>     at
>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>>     at
>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>>     at
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>>     at
>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>>     at java.lang.Thread.run(Thread.java:812)
>>>
>>> Then if I remove the 'password' option and leaves 'otp' only for the
>>> user, KeyCloak does actually authenticate fine (password + QRCode combined
>>> with no space): Following are logs when it successes:
>>>
>>> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
>>> ------------------------
>>> Modified user "mmstestu"
>>> ------------------------
>>>   User login: mmstestu
>>>   First name: Test
>>>   Last name: 55555
>>>   Home directory: /u0b/mmstestu
>>>   Login shell: /bin/bash
>>>   Principal name: mmstestu at SDCC.BNL.GOV
>>>   Principal alias: mmstestu at SDCC.BNL.GOV
>>>   Kerberos principal expiration: 20690301145828Z
>>>   Email address: smithj4 at example.com
>>>   UID: 7041
>>>   GID: 9965
>>>   SSH public key fingerprint:
>>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
>>>   User authentication types: otp
>>>   Account disabled: False
>>>   Password: True
>>>   Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
>>>   Member of HBAC rule: mktst1
>>>   Kerberos keys available: True
>>>
>>> In KRB log on IPA server:
>>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
>>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
>>> krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV
>>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8
>>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
>>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
>>> host/mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
>>>
>>> In /var/log/secure on KeyCloak server:
>>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth):
>>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
>>> user=mmstestu
>>>
>>> Please advice.
>>> Thanks.
>>> Mizuki
>>>
>>>
>>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org>
>>> wrote:
>>>
>>>> Hi Mizuki,
>>>>
>>>> In the scenario you described Keycloak just relies on PAM to
>>>> authenticate the user.  What I'd do before configure Keycloak is to try
>>>> dbus-send and pamtester, just to make sure that my setup works.
>>>>
>>>> So here's my suggestion, try to run pamtester -v keycloak youruser.  If
>>>> pamtester does not authenticate your user, there's a chance that
>>>> something is wrong with your setup. Certainly worth to review our
>>>> docs[1].
>>>>
>>>> [1] -
>>>> https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
>>>>
>>>> On 2019-03-05, mizuki wrote:
>>>> > Hi,
>>>> >
>>>> > We are currently evaluating keycloak as a possible authentication
>>>> mechanism
>>>> > deployed to our facility.
>>>> > We use kerberos for user authentication with FreeIPA and configured
>>>> sssd
>>>> > for user federation in keycloak (follow the official document both
>>>> from
>>>> > keycloak and freeipa.org)
>>>> > One of the requirement we desire is to enable kerboros password for
>>>> SSH
>>>> > login and enabled 'otp' for HTTP based applications.
>>>> >
>>>> > To do so,
>>>> > 1. We enabled both user-auth-types for the user:
>>>> > - password
>>>> > - password + otp
>>>> >
>>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
>>>> following
>>>> > services: (I purposely did not enable 'otp' at this point as I want to
>>>> > verify both 'password' and 'otp' shall work)
>>>> > - keycloak
>>>> > - sshd
>>>> >
>>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
>>>> PAM/SSSD,
>>>> > then I went ahead and accessed URL that is protected by keycloak,
>>>> > 'password' works but 'otp' won't, the following ERRORs were seen in
>>>> > keycloak's server.log:
>>>> > -----------
>>>> > 019-03-04 17:01:20,246 WARN  [org.keycloak.events] (default task-22)
>>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
>>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120,
>>>> > error=invalid_user_credentials, auth_method=openid-connect,
>>>> auth_type=code,
>>>> > redirect_uri=https://www.example.com/secure/
>>>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
>>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
>>>> > 2019-03-04 17:01:43,033 ERROR
>>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22)
>>>> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate
>>>> > failed : Permission denied
>>>> >     at org.jvnet.libpam.PAM.check(PAM.java:113)
>>>> >     at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
>>>> >     at
>>>> >
>>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
>>>> >
>>>> >     at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source)
>>>> >     at
>>>> >
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>>>> >
>>>> >     at java.lang.reflect.Method.invoke(Method.java:508)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> >
>>>> >     at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> >
>>>> >     at
>>>> >
>>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>>> >
>>>> >     at
>>>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>>>> >
>>>> >     at
>>>> >
>>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
>>>> > Source)
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> >
>>>> >     at
>>>> >
>>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>>> >
>>>> >     at
>>>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>>>> >     at
>>>> >
>>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>>>> >     at
>>>> >
>>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>>>> >
>>>> >     at
>>>> >
>>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>>>> >
>>>> >     at java.lang.Thread.run(Thread.java:812)
>>>> > ------------------
>>>> >
>>>> > Interesting thing is keycloak handles OTP just fine if I have
>>>> > 'password+otp' only checked on,  then we won't be able to log onto the
>>>> > machines via SSH using password, that defeats our purposes.
>>>> >
>>>> > I tested different version of JAVA and the latest keycloak (4.8.3)
>>>> version
>>>> > (on REHL 7), all got the same results.
>>>> > I'm wondering if this is more likely a bug or I missed something.
>>>> > I'd appreciate if someone can advice what the approach is.
>>>> >
>>>> > Thank you very much.
>>>> >
>>>> > Mizuki
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> --
>>>>
>>>> abstractj
>>>>
>>>


More information about the keycloak-user mailing list