On Thu, Apr 01, 2021 at 01:50:40PM +0300, Alexander Bokovoy wrote:
>
> This split of fields in FreeIPA Web UI exists since FreeIPA 4.0 which
> was part of early RHEL 7 deliveries (the code for separate OTP field was
> added in 2014).
>
> There is nothing specific about it -- Noggin developers simply missed
> this part, as well as they missed OTP token sycnhronization
> functionality.
Odd. I am looking at our "RED HAT IDENTITY MANAGEMENT" web interface and
it has a Username and a Password field and the Password field has
"Password or Password + One Time Password" in it.
...snip...
> It is supported. We don't expose DNS URI record for
> _kpasswd.fedoraproject.org but if you'd add 'kpasswd_server' to
> /etc/krb5.conf.d/fedoraproject_org with the same value as 'kdc', it will
> allow you to change the password:
>
> [934873] 1617273694.628547: Sending DNS URI query for _kpasswd.FEDORAPROJECT.ORG.
> [934873] 1617273694.628548: No URI records found
> ...
> [modify fedoraproject_org snippet]
> ...
> $ cat /etc/krb5.conf.d/fedoraproject_org
> [realms]
> FEDORAPROJECT.ORG = {
> kdc = https://id.fedoraproject.org/KdcProxy
> pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt
> kpasswd_server = https://id.fedoraproject.org/KdcProxy
> }
> [domain_realm]
> .fedoraproject.org = FEDORAPROJECT.ORG
> fedoraproject.org = FEDORAPROJECT.ORG
>
> $ KRB5_TRACE=/dev/stderr kpasswd abbra@xxxxxxxxxxxxxxxxx
> ...
> Enter OTP Token Value: ...
> Enter new password: Enter it again: [935146] 1617273825.195267: Creating
> authenticator for abbra@xxxxxxxxxxxxxxxxx ->
> kadmin/changepw@xxxxxxxxxxxxxxxxx, seqnum 0, subkey aes256-cts/9584, session
> key aes256-cts/4F2B
> [935146] 1617273825.195269: Resolving hostname id.fedoraproject.org
> [935146] 1617273825.195270: TLS certificate name matched "id.fedoraproject.org"
> [935146] 1617273825.195271: Sending HTTPS request to https 8.43.85.67:443
> [935146] 1617273825.195272: Received answer (236 bytes) from https 8.43.85.67:443
> [935146] 1617273825.195273: Terminating TCP connection to https 8.43.85.67:443
> [935146] 1617273825.195274: Read AP-REP, time 1617273825.195268, subkey aes256-cts/9584, seqnum 834862168
> Password changed.
>
> Note that in 'kpasswd' and 'kinit' utilities you have to concatenate
> password and OTP token value in the same string, unfortunately, because
> these utilities don't use prompting facilities available in MIT Kerberos
> library. SSSD does use them, so it is possible to change password
> through SSSD with separate prompts.
>
> Improving 'kpasswd' and 'kinit' utilities in on my todo list as I'll
> need this for other use cases as well.
Cool. I'll investigate if we want to make this case easier.
Thanks for the info!
kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
