11:16 p.m.
I'm running FreeIPA and have users with and without OTP. OTP users
authenticate with RADIUS (Privacyidea manages the tokens). My final goal
is that users with a kerberos ticket can authenticate without password
and users without ticket get asked for password+OTP (when configured).
In FreeIPA a user is defined with password and radius authentication:
$ ipa user-show jochen
User login: jochen
...
Kerberos principal: jochen(a)EXAMPLE.ORG
...
User authentication types: password, radius
According to the FreeIPA docs LDAP bind works with password only, but
kerberos needs password+OTP. That works fine with sssd and other
applications.
I'm now running keycloak 3.4.2 and played with it. I've added a User
Federation with LDAP to my FreeIPA server and enabled "Allow Kerberos
Authentication". After that I can log in with my Kerberos ticket
without further authentication. If I don't have a Kerberos ticket
keycloak asks me for username and password - authentication works with
LDAP bind as long as "Use Kerberos For Password Authentication" is
disabled.
For a regular (non-OTP) user I can authenticate with a Kerberos ticket.
If the user does not have a Kerberos ticket, he is asked for username
and password as expected, and authentication is successful.
Another user with OTP-authentication in FreeIPA can also authenticate
with his Kerberos ticket.
If the OTP-user does not have a Kerberos ticket, keycloak asks for
username and password (as expected). If the user federation has "Use
Kerberos for Password Authentication" not selected, the user in
FreeIPA needs to have password+OTP (or password+RADIUS) allowed and
can authenticate against FreeIPA-LDAP with password only - that's not
what I want[1].
When I enable "Use Kerberos For Password Authentication" non-OTP users
can still authenticate, but OTP users can't. According to
https://www.freeipa.org/page/V4/OTP#How_to_Test
"Kerberos FAST is required for OTP operations." - and that's true.
If I just use kinit I get "Generic preauthentication failure while
getting initial credentials". The kerberos log has:
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23})
x.x.x.x: NEEDED_PREAUTH: jochen(a)EXAMPLE.ORG for krbtgt/JOCHEN.ORG(a)EXAMPLE.ORG, Additional
pre-authentication required
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): preauth (encrypted_timestamp)
verify failure: No matching key in entry
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23})
x.x.x.127: PREAUTH_FAILED: jochen(a)EXAMPLE.ORG for krbtgt/JOCHEN.ORG(a)EXAMPLE.ORG,
Preauthentication failed
debg log fom keycloak:
2017-08-08 21:24:17,473 INFO [stdout] (default task-1) Debug is true storeKey true
useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator
true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
2017-08-08 21:24:17,473 INFO [stdout] (default task-1) [Krb5LoginModule]
user entered username: jochen(a)EXAMPLE.ORG
2017-08-08 21:24:17,473 INFO [stdout] (default task-1)
2017-08-08 21:24:17,605 INFO [stdout] (default task-1) [Krb5LoginModule]
authentication failed
2017-08-08 21:24:17,605 INFO [stdout] (default task-1) Pre-authentication information was
invalid (24) - PREAUTH_FAILED
2017-08-08 21:24:17,606 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR,
realmId=jochen.org, clientId=account, userId=3ebc8518-a488-4dce-bd94-4a72c03a5ed9,
ipAddress=192.168.yy.xx, error=invalid_user_credentials, auth_method=openid-connect,
auth_type=code,
redirect_uri=https://saml.jochen.org/auth/realms/jochen.org/account/login...,
code_id=eefbcc3e-f581-465c-bc28-7e37fc939ae6, username=jochen(a)example.org
That look's like there is no FAST implemented, but that or Anonymous PKINIT
seems to be needed for OTP authentication through Kerberos:
https://www.freeipa.org/page/V4/OTP
https://www.freeipa.org/page/V4/Kerberos_PKINIT
On my systems the OTP-user can't kinit directly, but needs to "kinit -n"
first:
$ kinit otpuser
kinit: Pre-authentication failed: invalid argument while getting initial credentials
$ kinit -n
$ klist
Ticket cache: KEYRING:persistent:1004:1004
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
04.11.2017 18:31:20 05.11.2017 18:31:20 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
$ kinit -T KEYRING:persistent:1004:1004 otpuser
Enter OTP Token Value:
$ klist
Ticket cache: KEYRING:persistent:1004:krb_ccache_ZKhNrfE
Default principal: otpuser(a)EXAMPLE.ORG
Valid starting Expires Service principal
04.11.2017 18:31:48 05.11.2017 18:31:37 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
After some research I think that JDK doesn't implement FAST for now and
the tickets/messages I found looked like it will be some time until that
might be implemented (if ever).
Would it be possible to implement that in keycloak?
https://blog-ftweedal.rhcloud.com/2014/07/otp-authentication-in-freeipa/
has some python code that is implementing that for FreeIPA.
I've looked at
https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/...
but don't see how that might be implemented there...
I've already tried to add two providers to my user federation, LDAP and sssd.
sssd can authentication my otpuser with password+OTP fine. But I couldn't
get authentication with Kerberos ticket to work when I have both providers
active. Is that something that should work?
Any ideas?
Thanks,
Jochen
[1] password allows authentication to LDAP (no OTP). RADIUS or OTP
authentications against Kerberos, which handles OTP and RADIUS
and needs password+OTP.
--
This space is intentionally left blank.
2:27 a.m.
The integration with FreeIPA is suppose to use SSSD userStorage
provider. Have few questions to clarify:
1. If you have SSSD provider and your user doesn't have kerberos ticket,
is Keycloak authentication work for both password-only and password+otp
users?
2. If you have SSSD provider and your user has kerberos ticket, are you
able to authenticate with Kerberos+SPNEGO?
Thanks,
Marek
On 17/01/18 06:16, Jochen Hein wrote:
I'm running FreeIPA and have users with and without OTP. OTP
users
authenticate with RADIUS (Privacyidea manages the tokens). My final goal
is that users with a kerberos ticket can authenticate without password
and users without ticket get asked for password+OTP (when configured).
In FreeIPA a user is defined with password and radius authentication:
$ ipa user-show jochen
User login: jochen
...
Kerberos principal: jochen(a)EXAMPLE.ORG
...
User authentication types: password, radius
According to the FreeIPA docs LDAP bind works with password only, but
kerberos needs password+OTP. That works fine with sssd and other
applications.
I'm now running keycloak 3.4.2 and played with it. I've added a User
Federation with LDAP to my FreeIPA server and enabled "Allow Kerberos
Authentication". After that I can log in with my Kerberos ticket
without further authentication. If I don't have a Kerberos ticket
keycloak asks me for username and password - authentication works with
LDAP bind as long as "Use Kerberos For Password Authentication" is
disabled.
For a regular (non-OTP) user I can authenticate with a Kerberos ticket.
If the user does not have a Kerberos ticket, he is asked for username
and password as expected, and authentication is successful.
Another user with OTP-authentication in FreeIPA can also authenticate
with his Kerberos ticket.
If the OTP-user does not have a Kerberos ticket, keycloak asks for
username and password (as expected). If the user federation has "Use
Kerberos for Password Authentication" not selected, the user in
FreeIPA needs to have password+OTP (or password+RADIUS) allowed and
can authenticate against FreeIPA-LDAP with password only - that's not
what I want[1].
When I enable "Use Kerberos For Password Authentication" non-OTP users
can still authenticate, but OTP users can't. According to
https://www.freeipa.org/page/V4/OTP#How_to_Test
"Kerberos FAST is required for OTP operations." - and that's true.
If I just use kinit I get "Generic preauthentication failure while
getting initial credentials". The kerberos log has:
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23})
x.x.x.x: NEEDED_PREAUTH: jochen(a)EXAMPLE.ORG for krbtgt/JOCHEN.ORG(a)EXAMPLE.ORG, Additional
pre-authentication required
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): preauth (encrypted_timestamp)
verify failure: No matching key in entry
Aug 08 21:24:17 freeipa1.jochen.org krb5kdc[4442](info): AS_REQ (4 etypes {18 17 16 23})
x.x.x.127: PREAUTH_FAILED: jochen(a)EXAMPLE.ORG for krbtgt/JOCHEN.ORG(a)EXAMPLE.ORG,
Preauthentication failed
debg log fom keycloak:
2017-08-08 21:24:17,473 INFO [stdout] (default task-1) Debug is true storeKey true
useTicketCache false useKeyTab false doNotPrompt false ticketCache is null isInitiator
true KeyTab is null refreshKrb5Config is false principal is null tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
2017-08-08 21:24:17,473 INFO [stdout] (default task-1) [Krb5LoginModule]
user entered username: jochen(a)EXAMPLE.ORG
2017-08-08 21:24:17,473 INFO [stdout] (default task-1)
2017-08-08 21:24:17,605 INFO [stdout] (default task-1) [Krb5LoginModule]
authentication failed
2017-08-08 21:24:17,605 INFO [stdout] (default task-1) Pre-authentication information
was invalid (24) - PREAUTH_FAILED
2017-08-08 21:24:17,606 WARN [org.keycloak.events] (default task-1) type=LOGIN_ERROR,
realmId=jochen.org, clientId=account, userId=3ebc8518-a488-4dce-bd94-4a72c03a5ed9,
ipAddress=192.168.yy.xx, error=invalid_user_credentials, auth_method=openid-connect,
auth_type=code,
redirect_uri=https://saml.jochen.org/auth/realms/jochen.org/account/login...,
code_id=eefbcc3e-f581-465c-bc28-7e37fc939ae6, username=jochen(a)example.org
That look's like there is no FAST implemented, but that or Anonymous PKINIT
seems to be needed for OTP authentication through Kerberos:
https://www.freeipa.org/page/V4/OTP
https://www.freeipa.org/page/V4/Kerberos_PKINIT
On my systems the OTP-user can't kinit directly, but needs to "kinit -n"
first:
$ kinit otpuser
kinit: Pre-authentication failed: invalid argument while getting initial credentials
$ kinit -n
$ klist
Ticket cache: KEYRING:persistent:1004:1004
Default principal: WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS
Valid starting Expires Service principal
04.11.2017 18:31:20 05.11.2017 18:31:20 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
$ kinit -T KEYRING:persistent:1004:1004 otpuser
Enter OTP Token Value:
$ klist
Ticket cache: KEYRING:persistent:1004:krb_ccache_ZKhNrfE
Default principal: otpuser(a)EXAMPLE.ORG
Valid starting Expires Service principal
04.11.2017 18:31:48 05.11.2017 18:31:37 krbtgt/EXAMPLE.ORG(a)EXAMPLE.ORG
After some research I think that JDK doesn't implement FAST for now and
the tickets/messages I found looked like it will be some time until that
might be implemented (if ever).
Would it be possible to implement that in keycloak?
https://blog-ftweedal.rhcloud.com/2014/07/otp-authentication-in-freeipa/
has some python code that is implementing that for FreeIPA.
I've looked at
https://github.com/keycloak/keycloak/blob/master/federation/kerberos/src/...
but don't see how that might be implemented there...
I've already tried to add two providers to my user federation, LDAP and sssd.
sssd can authentication my otpuser with password+OTP fine. But I couldn't
get authentication with Kerberos ticket to work when I have both providers
active. Is that something that should work?
Any ideas?
Thanks,
Jochen
[1] password allows authentication to LDAP (no OTP). RADIUS or OTP
authentications against Kerberos, which handles OTP and RADIUS
and needs password+OTP.
3:48 p.m.
New subject: Valid Sender ? - Re: Authentication fails for OTP user with kerberos
Marek Posolda <mposolda(a)redhat.com> writes:
The integration with FreeIPA is suppose to use SSSD userStorage
provider. Have few questions to clarify:
1. If you have SSSD provider and your user doesn't have kerberos
ticket, is Keycloak authentication work for both password-only and
password+otp users?
Yes, that is correct.
2. If you have SSSD provider and your user has kerberos ticket, are
you able to authenticate with Kerberos+SPNEGO?
No, I'm not able to connect with Kerberos. I did the following:
- I created a new realm "sso"
- There is one User Federation "sssd"
- In the SSSD provider /etc/sssd/sssd.conf:
[ifp]
allowed_uids = root, keycloak
user_attributes = +mail, +telephoneNumber, +givenname, +sn
- Under Authentication -> Flows I've added "Kerberos" as
"Alternative"
to the browser flow.
- When I open https://saml.example.org/auth/realms/sso/account/ I'll see
in server.log:
2018-01-17 22:37:02,825 WARN
[org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (default task-4)
Received kerberos token, but there is no user storage provider that handles kerberos
credentials.
I'm not logged in, but can authenticate with password+OTP.
As far as I understood, only Kerberos and LDAP user storage can handle
kerberos authentication. I also tried to have to user federations (sssd
and kerberos), but I only got one to work in the realm.
Jochen
--
This space is intentionally left blank.
1:58 a.m.
New subject: Valid Sender ? - Re: Authentication fails for OTP user with kerberos
Thanks for clarification. Feel free to create JIRA for your scenario -
also please link it with this email thread.
I am not yet sure how exactly to support your scenario. We may need to
look what FreeIPA is doing for web authentications. I think the proper
way to have this working might be through SSSD provider. But that one
doesn't support Kerberos in Keycloak right now. From the long term
perspective, we may need to move Kerberos configurations (keytab etc)
from the federation provider to the SPNEGOAuthenticator. This will
remove the limit that Kerberos/SPNEGO authentication is currently
tightly coupled just with LDAP+Kerberos federation providers and will
help with some other usecases. On the other hand, proper way to have
SPNEGO working might be different for SSSD integration - maybe not using
Keytab etc, but doing it through GSS Proxy. But not 100% sure... Will
require more investigation...
Marek
On 17/01/18 22:48, Jochen Hein wrote:
Marek Posolda <mposolda(a)redhat.com> writes:
> The integration with FreeIPA is suppose to use SSSD userStorage
> provider. Have few questions to clarify:
>
> 1. If you have SSSD provider and your user doesn't have kerberos
> ticket, is Keycloak authentication work for both password-only and
> password+otp users?
Yes, that is correct.
> 2. If you have SSSD provider and your user has kerberos ticket, are
> you able to authenticate with Kerberos+SPNEGO?
No, I'm not able to connect with Kerberos. I did the following:
- I created a new realm "sso"
- There is one User Federation "sssd"
- In the SSSD provider /etc/sssd/sssd.conf:
[ifp]
allowed_uids = root, keycloak
user_attributes = +mail, +telephoneNumber, +givenname, +sn
- Under Authentication -> Flows I've added "Kerberos" as
"Alternative"
to the browser flow.
- When I open https://saml.example.org/auth/realms/sso/account/ I'll see
in server.log:
2018-01-17 22:37:02,825 WARN
[org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator] (default task-4)
Received kerberos token, but there is no user storage provider that handles kerberos
credentials.
I'm not logged in, but can authenticate with password+OTP.
As far as I understood, only Kerberos and LDAP user storage can handle
kerberos authentication. I also tried to have to user federations (sssd
and kerberos), but I only got one to work in the realm.
Jochen
2:30 p.m.
New subject: Valid Sender ? - Re: Authentication fails for OTP user with kerberos
Marek Posolda <mposolda(a)redhat.com> writes:
Thanks for clarification. Feel free to create JIRA for your scenario
-
also please link it with this email thread.
I've created https://issues.jboss.org/browse/KEYCLOAK-6323
Thanks!
Jochen
--
This space is intentionally left blank.
2546
days inactive
2549
days old
4 comments
2 participants
participants (2)
-
Jochen Hein -
Marek Posolda