Re: [keycloak-user] Authentication failed: org.jvnet.libpam.PAMException

Hi Mizuki, I'm afraid to say that's not a bug. Some answers inline. On 2019-03-19, mizuki wrote: > Hi Bruno Et al, > > If possible, please advise the next approach, to me it seems like a bug. > > As a workaround, it is possible to enable OTP embedded with keycloak, we > the preferred way is to have QR code stored in the central database such as > IPA, so we can extend the features to other services ideaily (enabled OTP > on gateway for example). The only way to enable OTP using IPA + Keycloak is to scan the QR code on IPA server and later use it with password + OTP in the Keycloak form. > > Another question is, if it's possible to separate the Password & OTP for > users to type in instead of combining them in one input box. SSH login > separates them as 'First Factor' and 'Second Factor' to allow you type in > separately which is nice. The OTP coming with Keyclak does the same > things, Password and OTP are separate input boxes, ease to reduce the > possible mistakes. Especially when OTP is time based, it would be very much > a hassle for users to type in Password and OTP all at once in one box. That's not supported at the moment. Our team is unable to fit this suggestion into our current workload and priorities, but we would gladly review any PR submitted with tests and documentation. > > Please advice & thanks so much! > Mizuki > > On Thu, Mar 14, 2019 at 8:37 PM mizuki <mizuki0621(a)gmail.com&gt; wrote: > > > See pamtester went successful with both cases (whether both OTP and > > password enabled or OTP only) > > > > Case 1: Both Password and OTP are enabled: > > > > *[root@mktst1 ~]# pamtester keycloak mmstestu authenticate* > > First Factor: > > Second Factor (optional): > > pamtester: successfully authenticated > > > > Case 2: Enabled OTP only: > > *[root@mktst1 ~]# pamtester Keycloak mmstestu authenticate* > > First Factor: > > Second Factor: > > pamtester: successfully authenticated > > > > Note > > Thanks. > > > > On Thu, Mar 14, 2019 at 7:01 PM Bruno Oliveira <bruno(a)abstractj.org&gt; > > wrote: > > > >> What is the output from pamtester? > >> > >> On Thu, Mar 14, 2019, 5:42 PM mizuki <mizuki0621(a)gmail.com&gt; wrote: > >> > >>> Thanks for the response, Bruno. > >>> > >>> I certainly went through the documents and examed configurations > >>> carefully. I attached KRB log from IPA server as well as /var/log/secure > >>> from Keycloak server as supporting evidences (high lighted with blue for > >>> important portions). > >>> > >>> In the case when both 'password' and 'otp' are enabled to the user in > >>> IPA, Keycloak failed to authenticate user with either the password or otp. > >>> > >>> [root@idm01 ~]# ipa user-show mmstestu > >>> User login: mmstestu > >>> First name: Test > >>> Last name: 55555 > >>> Home directory: /u0b/mmstestu > >>> Login shell: /bin/bash > >>> Principal name: mmstestu(a)SDCC.BNL.GOV > >>> Principal alias: mmstestu(a)SDCC.BNL.GOV > >>> Kerberos principal expiration: 20690301145828Z > >>> Email address: smithj4(a)example.com > >>> UID: 7041 > >>> GID: 9965 > >>> SSH public key fingerprint: > >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa) > >>> User authentication types: otp, password > >>> Account disabled: False > >>> Password: True > >>> Member of groups: ipausers, rhloi13, ravendor, webstaff, eic > >>> Member of HBAC rule: mktst1 > >>> Kerberos keys available: True > >>> > >>> Krb log on IPA server shows following: > >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: NEEDED_PREAUTH: > >>> mmstestu(a)SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV(a)SDCC.BNL.GOV, Additional > >>> pre-authentication required > >>> Mar 14 16:24:36 idm01.sdcc.bnl.gov krb5kdc[9534](info): AS_REQ (8 > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: PREAUTH_FAILED: > >>> mmstestu(a)SDCC.BNL.GOV for krbtgt/SDCC.BNL.GOV(a)SDCC.BNL.GOV, Incorrect > >>> password in encrypted challenge > >>> > >>> /var/log/secure log on KeyCloak server: > >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth): > >>> authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost= > >>> user=mmstestu > >>> Mar 14 16:24:36 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth): > >>> received for user mmstestu: 17 (Failure setting user credentials) > >>> > >>> In ../log/server.log on KeyCloak server: > >>> 2019-03-14 16:24:36,844 ERROR > >>> [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-2) > >>> Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate > >>> failed : Permission denied > >>> at org.jvnet.libpam.PAM.check(PAM.java:113) > >>> at org.jvnet.libpam.PAM.authenticate(PAM.java:129) > >>> at > >>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53) > >>> at > >>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180) > >>> at > >>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143) > >>> at > >>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124) > >>> at > >>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193) > >>> at > >>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166) > >>> at > >>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55) > >>> at > >>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48) > >>> at > >>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113) > >>> at > >>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) > >>> at > >>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) > >>> at > >>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) > >>> at > >>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) > >>> at > >>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) > >>> at > >>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>> at > >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90) > >>> at > >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) > >>> at java.lang.reflect.Method.invoke(Method.java:508) > >>> at > >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$873.00000000AFCB79F0.get(Unknown > >>> Source) > >>> at > >>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > >>> at > >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > >>> at > >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$871.00000000B11B4F40.run(Unknown > >>> Source) > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$872.00000000ACC159F0.get(Unknown > >>> Source) > >>> at > >>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > >>> at > >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > >>> at > >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > >>> at > >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > >>> at > >>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > >>> at > >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > >>> at > >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > >>> at > >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > >>> at > >>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > >>> at > >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > >>> at > >>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>> at > >>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > >>> at > >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>> at > >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > >>> at > >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > >>> at > >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > >>> at > >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > >>> at > >>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > >>> at > >>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>> at > >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>> at > >>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > >>> at > >>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > >>> at > >>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > >>> at > >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > >>> at > >>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$721.00000000A8A8CB90.call(Unknown > >>> Source) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown > >>> Source) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown > >>> Source) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown > >>> Source) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>> at > >>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$722.00000000A8B52390.call(Unknown > >>> Source) > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > >>> at > >>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > >>> at > >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > >>> at > >>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > >>> at > >>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > >>> at > >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > >>> at > >>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > >>> at java.lang.Thread.run(Thread.java:812) > >>> > >>> Then if I remove the 'password' option and leaves 'otp' only for the > >>> user, KeyCloak does actually authenticate fine (password + QRCode combined > >>> with no space): Following are logs when it successes: > >>> > >>> [root@idm01 ~]# ipa user-mod mmstestu --user-auth-type=otp > >>> ------------------------ > >>> Modified user "mmstestu" > >>> ------------------------ > >>> User login: mmstestu > >>> First name: Test > >>> Last name: 55555 > >>> Home directory: /u0b/mmstestu > >>> Login shell: /bin/bash > >>> Principal name: mmstestu(a)SDCC.BNL.GOV > >>> Principal alias: mmstestu(a)SDCC.BNL.GOV > >>> Kerberos principal expiration: 20690301145828Z > >>> Email address: smithj4(a)example.com > >>> UID: 7041 > >>> GID: 9965 > >>> SSH public key fingerprint: > >>> SHA256:/JlIpowM8fnzu+eVyeDj0Nb08+L3KWn7gG3lmS2YRFk (ssh-rsa) > >>> User authentication types: otp > >>> Account disabled: False > >>> Password: True > >>> Member of groups: ipausers, rhloi13, ravendor, webstaff, eic > >>> Member of HBAC rule: mktst1 > >>> Kerberos keys available: True > >>> > >>> In KRB log on IPA server: > >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): AS_REQ (8 > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime > >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu(a)SDCC.BNL.GOV for > >>> krbtgt/SDCC.BNL.GOV(a)SDCC.BNL.GOV > >>> Mar 14 16:28:57 idm01.sdcc.bnl.gov krb5kdc[9535](info): TGS_REQ (8 > >>> etypes {18 17 20 19 16 23 25 26}) 130.199.148.235: ISSUE: authtime > >>> 1552595337, etypes {rep=18 tkt=18 ses=18}, mmstestu(a)SDCC.BNL.GOV for > >>> host/mktst1.sdcc.bnl.gov(a)SDCC.BNL.GOV > >>> > >>> In /var/log/secure on KeyCloak server: > >>> Mar 14 16:28:57 mktst1 journal: IBM Java[8421]: pam_sss(keycloak:auth): > >>> authentication success; logname=root uid=0 euid=0 tty= ruser= rhost= > >>> user=mmstestu > >>> > >>> Please advice. > >>> Thanks. > >>> Mizuki > >>> > >>> > >>> On Tue, Mar 12, 2019 at 11:35 AM Bruno Oliveira <bruno(a)abstractj.org > > >>> wrote: > >>> > >>>> Hi Mizuki, > >>>> > >>>> In the scenario you described Keycloak just relies on PAM to > >>>> authenticate the user. What I'd do before configure Keycloak is to try > >>>> dbus-send and pamtester, just to make sure that my setup works. > >>>> > >>>> So here's my suggestion, try to run pamtester -v keycloak youruser. If > >>>> pamtester does not authenticate your user, there's a chance that > >>>> something is wrong with your setup. Certainly worth to review our > >>>> docs[1]. > >>>> > >>>> [1] - > >>>> https://www.keycloak.org/docs/latest/server_admin/index.html#_sssd > >>>> > >>>> On 2019-03-05, mizuki wrote: > >>>> > Hi, > >>>> > > >>>> > We are currently evaluating keycloak as a possible authentication > >>>> mechanism > >>>> > deployed to our facility. > >>>> > We use kerberos for user authentication with FreeIPA and configured > >>>> sssd > >>>> > for user federation in keycloak (follow the official document both > >>>> from > >>>> > keycloak and freeipa.org) > >>>> > One of the requirement we desire is to enable kerboros password for > >>>> SSH > >>>> > login and enabled 'otp' for HTTP based applications. > >>>> > > >>>> > To do so, > >>>> > 1. We enabled both user-auth-types for the user: > >>>> > - password > >>>> > - password + otp > >>>> > > >>>> > 2. Created HBAC rules in IPA, allowing keycloak server access for > >>>> following > >>>> > services: (I purposely did not enable 'otp' at this point as I want to > >>>> > verify both 'password' and 'otp' shall work) > >>>> > - keycloak > >>>> > - sshd > >>>> > > >>>> > 3. Confimred sshd worked with both 'password' and 'otp' types via > >>>> PAM/SSSD, > >>>> > then I went ahead and accessed URL that is protected by keycloak, > >>>> > 'password' works but 'otp' won't, the following ERRORs were seen in > >>>> > keycloak's server.log: > >>>> > ----------- > >>>> > 019-03-04 17:01:20,246 WARN [org.keycloak.events] (default task-22) > >>>> > type=LOGIN_ERROR, realmId=SDCC, clientId=vproxytest03, > >>>> > userId=9900928d-efee-4192-bbc8-7e29cf512d2b, ipAddress=130.199.6.120, > >>>> > error=invalid_user_credentials, auth_method=openid-connect, > >>>> auth_type=code, > >>>> > redirect_uri=https://www.example.com/secure/ > >>>> > <https://vproxytest03.racf.bnl.gov/secure/>*, > >>>> > code_id=d6c83411-4ca8-4d2b-b942-afd0006e98d2, username=mmstestu > >>>> > 2019-03-04 17:01:43,033 ERROR > >>>> > [org.keycloak.federation.sssd.impl.PAMAuthenticator] (default task-22) > >>>> > Authentication failed: org.jvnet.libpam.PAMException: pam_authenticate > >>>> > failed : Permission denied > >>>> > at org.jvnet.libpam.PAM.check(PAM.java:113) > >>>> > at org.jvnet.libpam.PAM.authenticate(PAM.java:129) > >>>> > at > >>>> > > >>>> org.keycloak.federation.sssd.impl.PAMAuthenticator.authenticate(PAMAuthenticator.java:53) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.federation.sssd.SSSDFederationProvider.isValid(SSSDFederationProvider.java:180) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.credential.UserCredentialStoreManager.validate(UserCredentialStoreManager.java:143) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.credential.UserCredentialStoreManager.isValid(UserCredentialStoreManager.java:124) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validatePassword(AbstractUsernameFormAuthenticator.java:193) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:166) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:55) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:48) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:113) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:97) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.services.resources.LoginActionsService.processAuthentication(LoginActionsService.java:263) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.services.resources.LoginActionsService.authenticate(LoginActionsService.java:259) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.services.resources.LoginActionsService.authenticateForm(LoginActionsService.java:320) > >>>> > > >>>> > at sun.reflect.GeneratedMethodAccessor719.invoke(Unknown Source) > >>>> > at > >>>> > > >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55) > >>>> > > >>>> > at java.lang.reflect.Method.invoke(Method.java:508) > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$849.00000000BB8BBB40.get(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:443) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:233) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$847.00000000BE026450.run(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:139) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.SynchronousDispatcher$$Lambda$848.00000000BDC48A90.get(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:358) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:142) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:219) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > >>>> > > >>>> > at javax.servlet.http.HttpServlet.service(HttpServlet.java:791) > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > >>>> > > >>>> > at > >>>> > > >>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > >>>> > > >>>> > at > >>>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction$$Lambda$693.00000000BCF725B0.call(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502) > >>>> > > >>>> > at > >>>> > > >>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction$$Lambda$694.00000000BD0FBEE0.call(Unknown > >>>> > Source) > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > >>>> > > >>>> > at > >>>> > > >>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > >>>> > > >>>> > at > >>>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:360) > >>>> > at > >>>> > > >>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) > >>>> > at > >>>> > > >>>> org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) > >>>> > > >>>> > at > >>>> > > >>>> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) > >>>> > > >>>> > at java.lang.Thread.run(Thread.java:812) > >>>> > ------------------ > >>>> > > >>>> > Interesting thing is keycloak handles OTP just fine if I have > >>>> > 'password+otp' only checked on, then we won't be able to log onto the > >>>> > machines via SSH using password, that defeats our purposes. > >>>> > > >>>> > I tested different version of JAVA and the latest keycloak (4.8.3) > >>>> version > >>>> > (on REHL 7), all got the same results. > >>>> > I'm wondering if this is more likely a bug or I missed something. > >>>> > I'd appreciate if someone can advice what the approach is. > >>>> > > >>>> > Thank you very much. > >>>> > > >>>> > Mizuki > >>>> > _______________________________________________ > >>>> > keycloak-user mailing list > >>>> > keycloak-user(a)lists.jboss.org > >>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >>>> > >>>> -- > >>>> > >>>> abstractj > >>>> > >>> -- abstractj