[keycloak-user] Authentication failed: org.jvnet.libpam.PAMException
mizuki
mizuki0621 at gmail.com
Wed Mar 20 10:17:39 EDT 2019
Hi Bruno,
That's exactly what we were trying to do, in line with your suggestion(if I
interpreted your msg correctly) .
------
The only way to enable OTP using IPA + Keycloak is to scan the QR code on
IPA server and later use it with password + OTP in the Keycloak form.
------
Scan the QR code using IPA (NOT using KeyCloak QR code so be clear), it
only works when user has 'Two factor authentication' option checked as User
authentication type. if user also has 'password' checked, Keycloak fails to
authenticate users. But same PAM stack used by SSH authenticates user just
fine (all my previous emails proves that)
There are 3 types of 'User authentication types' to choose for individual
users in IPA:
- Password
- RADIUS
-Two factor authentication (password + OTP)
I'm attaching a screenshot from IPA Web UI.
Thanks.
Mizuki
On Wed, Mar 20, 2019 at 9:52 AM Bruno Oliveira <bruno at abstractj.org> wrote:
> Hi Mizuki, I'm afraid to say that's not a bug. Some answers inline.
>
> On 2019-03-19, mizuki wrote:
> > Hi Bruno Et al,
> >
> > If possible, please advise the next approach, to me it seems like a bug.
> >
> > As a workaround, it is possible to enable OTP embedded with keycloak, we
> > the preferred way is to have QR code stored in the central database such
> as
> > IPA, so we can extend the features to other services ideaily (enabled OTP
> > on gateway for example).
>
> The only way to enable OTP using IPA + Keycloak is to scan the QR code on
> IPA server and later use it with password + OTP in the Keycloak form.
>
> >
> > Another question is, if it's possible to separate the Password & OTP for
> > users to type in instead of combining them in one input box. SSH login
> > separates them as 'First Factor' and 'Second Factor' to allow you type in
> > separately which is nice. The OTP coming with Keyclak does the same
> > things, Password and OTP are separate input boxes, ease to reduce the
> > possible mistakes. Especially when OTP is time based, it would be very
> much
> > a hassle for users to type in Password and OTP all at once in one box.
>
> That's not supported at the moment. Our team is unable to fit this
> suggestion into our current workload and priorities, but we would gladly
> review any PR submitted with tests and documentation.
>
> >
> > Please advice & thanks so much!
> > Mizuki
> >
> > On Thu, Mar 14, 2019 at 8:37 PM mizuki <mizuki0621 at gmail.com> wrote:
> >
> > > See pamtester went successful with both cases (whether both OTP and
> > > password enabled or OTP only)
> > >
> > > Case 1: Both Password and OTP are enabled:
> > >
> > > *[root at mktst1 ~]# pamtester keycloak mmstestu authenticate*
> > > First Factor:
> > > Second Factor (optional):
> > > pamtester: successfully authenticated
> > >
> > > Case 2: Enabled OTP only:
> > > *[root at mktst1 ~]# pamtester Keycloak mmstestu authenticate*
> > > First Factor:
> > > Second Factor:
> > > pamtester: successfully authenticated
> > >
> > > Note
> > > Thanks.
> > >
> > > On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno at abstractj.org>
> > > wrote:
> > >
> > >> What is the output from pamtester?
> > >>
> > >> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621 at gmail.com> wrote:
> > >>
> > >>> Thanks for the response, Bruno.
> > >>>
> > >>> I certainly went through the documents and examed configurations
> > >>> carefully. I attached KRB log from IPA server as well as
> /var/log/secure
> > >>> from Keycloak server as supporting evidences (high lighted with blue
> for
> > >>> important portions).
> > >>>
> > >>> In the case when both 'password' and 'otp' are enabled to the user in
> > >>> IPA, Keycloak failed to authenticate user with either the password
> or otp.
> > >>>
> > >>> [root at idm01 ~]# ipa user-show mmstestu
> > >>> User login: mmstestu
> > >>> First name: Test
> > >>> Last name: 55555
> > >>> Home directory: /u0b/mmstestu
> > >>> Login shell: /bin/bash
> > >>> Principal name: mmstestu at SDCC.BNL.GOV
> > >>> Principal alias: mmstestu at SDCC.BNL.GOV
> > >>> Kerberos principal expiration: 20690301145828Z
> > >>> Email address: smithj4 at example.com
> > >>> UID: 7041
> > >>> GID: 9965
> > >>> SSH public key fingerprint:
> > >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
> > >>> User authentication types: otp, password
> > >>> Account disabled: False
> > >>> Password: True
> > >>> Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
> > >>> Member of HBAC rule: mktst1
> > >>> Kerberos keys available: True
> > >>>
> > >>> Krb log on IPA server shows following:
> > >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH:
> > >>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV,
> Additional
> > >>> pre-authentication required
> > >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED:
> > >>> mmstestu at SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV,
> Incorrect
> > >>> password in encrypted challenge
> > >>>
> > >>> /var/log/secure log on KeyCloak server:
> > >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]:
> pam_sss(keycloak:auth):
> > >>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=
> > >>> user=mmstestu
> > >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]:
> pam_sss(keycloak:auth):
> > >>> received for user mmstestu: 17 (Failure setting user credentials)
> > >>>
> > >>> In ../log/server.log on KeyCloak server:
> > >>> 2019-03-14 16:24:36,844 ERROR
> > >>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2)
> > >>> Authentication failed: org.jvnet.libpam.PAMException:
> pam_authenticate
> > >>> failed : Permission denied
> > >>> at org.jvnet.libpam.PAM.check(PAM.java:113)
> > >>> at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> > >>> at
> > >>>
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> > >>> at
> > >>>
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> > >>> at
> > >>>
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> > >>> at
> > >>>
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> > >>> at
> > >>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> > >>> at
> > >>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> > >>> at
> > >>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> > >>> at
> > >>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> > >>> at
> > >>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> > >>> at
> > >>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> > >>> at
> > >>>
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> > >>> at
> > >>>
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> > >>> at
> > >>>
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> > >>> at
> > >>>
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> > >>> at
> > >>>
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > >>> at
> > >>>
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
> > >>> at
> > >>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> > >>> at java.lang.reflect.Method.invoke(Method.java:508)
> > >>> at
> > >>>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown
> > >>> Source)
> > >>> at
> > >>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> > >>> at
> > >>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> > >>> at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> > >>> at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> > >>> at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown
> > >>> Source)
> > >>> at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> > >>> at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown
> > >>> Source)
> > >>> at
> > >>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>> at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> > >>> at
> > >>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> > >>> at
> > >>>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> > >>> at
> > >>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > >>> at
> > >>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > >>> at
> > >>>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > >>> at
> > >>>
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > >>> at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > >>> at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>> at
> > >>>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > >>> at
> > >>>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > >>> at
> > >>>
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > >>> at
> > >>>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > >>> at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > >>> at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > >>> at
> > >>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > >>> at
> > >>>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > >>> at
> > >>>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown
> > >>> Source)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>> at
> > >>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown
> > >>> Source)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > >>> at
> > >>>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > >>> at
> > >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > >>> at
> > >>>
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > >>> at
> > >>>
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> > >>> at
> > >>>
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> > >>> at
> > >>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> > >>> at
> > >>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> > >>> at java.lang.Thread.run(Thread.java:812)
> > >>>
> > >>> Then if I remove the 'password' option and leaves 'otp' only for the
> > >>> user, KeyCloak does actually authenticate fine (password + QRCode
> combined
> > >>> with no space): Following are logs when it successes:
> > >>>
> > >>> [root at idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp
> > >>> ------------------------
> > >>> Modified user "mmstestu"
> > >>> ------------------------
> > >>> User login: mmstestu
> > >>> First name: Test
> > >>> Last name: 55555
> > >>> Home directory: /u0b/mmstestu
> > >>> Login shell: /bin/bash
> > >>> Principal name: mmstestu at SDCC.BNL.GOV
> > >>> Principal alias: mmstestu at SDCC.BNL.GOV
> > >>> Kerberos principal expiration: 20690301145828Z
> > >>> Email address: smithj4 at example.com
> > >>> UID: 7041
> > >>> GID: 9965
> > >>> SSH public key fingerprint:
> > >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa)
> > >>> User authentication types: otp
> > >>> Account disabled: False
> > >>> Password: True
> > >>> Member of groups: ipausers, rhloi13, ravendor, webstaff, eic
> > >>> Member of HBAC rule: mktst1
> > >>> Kerberos keys available: True
> > >>>
> > >>> In KRB log on IPA server:
> > >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
> > >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
> > >>> krbtgt/SDCC.BNL.GOV at SDCC.BNL.GOV
> > >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8
> > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime
> > >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu at SDCC.BNL.GOV for
> > >>> host/mktst1.sdcc.bnl.gov at SDCC.BNL.GOV
> > >>>
> > >>> In /var/log/secure on KeyCloak server:
> > >>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]:
> pam_sss(keycloak:auth):
> > >>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost=
> > >>> user=mmstestu
> > >>>
> > >>> Please advice.
> > >>> Thanks.
> > >>> Mizuki
> > >>>
> > >>>
> > >>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno at abstractj.org
> >
> > >>> wrote:
> > >>>
> > >>>> Hi Mizuki,
> > >>>>
> > >>>> In the scenario you described Keycloak just relies on PAM to
> > >>>> authenticate the user. What I'd do before configure Keycloak is to
> try
> > >>>> dbus-send and pamtester, just to make sure that my setup works.
> > >>>>
> > >>>> So here's my suggestion, try to run pamtester -v keycloak
> youruser. If
> > >>>> pamtester does not authenticate your user, there's a chance that
> > >>>> something is wrong with your setup. Certainly worth to review our
> > >>>> docs[1].
> > >>>>
> > >>>> [1] -
> > >>>> https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd
> > >>>>
> > >>>> On 2019-03-05, mizuki wrote:
> > >>>> > Hi,
> > >>>> >
> > >>>> > We are currently evaluating keycloak as a possible authentication
> > >>>> mechanism
> > >>>> > deployed to our facility.
> > >>>> > We use kerberos for user authentication with FreeIPA and
> configured
> > >>>> sssd
> > >>>> > for user federation in keycloak (follow the official document both
> > >>>> from
> > >>>> > keycloak and freeipa.org)
> > >>>> > One of the requirement we desire is to enable kerboros password
> for
> > >>>> SSH
> > >>>> > login and enabled 'otp' for HTTP based applications.
> > >>>> >
> > >>>> > To do so,
> > >>>> > 1. We enabled both user-auth-types for the user:
> > >>>> > - password
> > >>>> > - password + otp
> > >>>> >
> > >>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for
> > >>>> following
> > >>>> > services: (I purposely did not enable 'otp' at this point as I
> want to
> > >>>> > verify both 'password' and 'otp' shall work)
> > >>>> > - keycloak
> > >>>> > - sshd
> > >>>> >
> > >>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via
> > >>>> PAM/SSSD,
> > >>>> > then I went ahead and accessed URL that is protected by keycloak,
> > >>>> > 'password' works but 'otp' won't, the following ERRORs were seen
> in
> > >>>> > keycloak's server.log:
> > >>>> > -----------
> > >>>> > 019-03-04 17:01:20,246 WARN [org.keycloak.events] (default
> task-22)
> > >>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03,
> > >>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b,
> ipAddress=130.199.6.120,
> > >>>> > error=invalid_user_credentials, auth_method=openid-connect,
> > >>>> auth_type=code,
> > >>>> > redirect_uri=https://www.example.com/secure/
> > >>>> > <https://vproxytest03.racf.bnl.gov/secure/>*,
> > >>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu
> > >>>> > 2019-03-04 17:01:43,033 ERROR
> > >>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default
> task-22)
> > >>>> > Authentication failed: org.jvnet.libpam.PAMException:
> pam_authenticate
> > >>>> > failed : Permission denied
> > >>>> > at org.jvnet.libpam.PAM.check(PAM.java:113)
> > >>>> > at org.jvnet.libpam.PAM.authenticate(PAM.java:129)
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320)
> > >>>> >
> > >>>> > at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown
> Source)
> > >>>> > at
> > >>>> >
> > >>>>
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
> > >>>> >
> > >>>> > at java.lang.reflect.Method.invoke(Method.java:508)
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> > >>>> >
> > >>>> > at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> > >>>> >
> > >>>> > at
> > >>>> >
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown
> > >>>> > Source)
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> > >>>> >
> > >>>> > at
> > >>>> >
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
> > >>>> > at
> > >>>> >
> > >>>>
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> > >>>> >
> > >>>> > at
> > >>>> >
> > >>>>
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> > >>>> >
> > >>>> > at java.lang.Thread.run(Thread.java:812)
> > >>>> > ------------------
> > >>>> >
> > >>>> > Interesting thing is keycloak handles OTP just fine if I have
> > >>>> > 'password+otp' only checked on, then we won't be able to log
> onto the
> > >>>> > machines via SSH using password, that defeats our purposes.
> > >>>> >
> > >>>> > I tested different version of JAVA and the latest keycloak (4.8.3)
> > >>>> version
> > >>>> > (on REHL 7), all got the same results.
> > >>>> > I'm wondering if this is more likely a bug or I missed something.
> > >>>> > I'd appreciate if someone can advice what the approach is.
> > >>>> >
> > >>>> > Thank you very much.
> > >>>> >
> > >>>> > Mizuki
> > >>>> > _______________________________________________
> > >>>> > keycloak-user mailing list
> > >>>> > keycloak-user at lists.jboss.org
> > >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>>
> > >>>> --
> > >>>>
> > >>>> abstractj
> > >>>>
> > >>>
>
> --
>
> abstractj
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Screen Shot 2019-03-20 at 10.14.49 AM.png
Type: image/png
Size: 50321 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190320/728137d6/attachment-0001.png
More information about the keycloak-user
mailing list