test: Test OTP 2FA login with FreeIPA #13321

martinpitt · 2019-12-19T10:53:43Z

This demonstrates how to set up FreeIPA to enable two-factor
authentication. On RHEL, this is the only supported method, as there is
no google-authenticator package.

Use HOTP instead of the default TOTP as that's more predictable for an
automated test.

This has worked for a long time already, but let's make sure it stays
that way.

martinpitt · 2019-12-19T10:57:27Z

I ran this several times locally on fedora-31. Let's see how it fares on all the other OSes.

martinpitt · 2019-12-19T11:36:52Z

Failed on debian-stable and ubuntu-1804, and the two others as well. This may need an extra waiting loop that sssd sees the new user from IdM. Investigating locally..

martinpitt · 2019-12-19T13:23:01Z

On Debian stable and the Ubuntus the login attempt already fails at the password stage. I'm trying this with ssh, easier than with cockpit:

Dec 19 13:05:25 x0.cockpit.lan [sssd[krb5_child[21014]: Preauthentication failed
Dec 19 13:05:25 x0.cockpit.lan [sssd[krb5_child[21014]: Preauthentication failed
Dec 19 13:05:25 x0.cockpit.lan sshd[20940]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.27.0.2 user=alice
Dec 19 13:05:25 x0.cockpit.lan sshd[20940]: pam_sss(sshd:auth): received for user alice: 17 (Failure setting user credentials)

Unfortunately sssctl debug-level 5 does not really improve this.

On debian-testing it works, so maybe this is a reasonably recent feature. So let's wait until ubuntu-stable moves over to 20.04, focal already has the latest sssd version. My gut feeling is that this is related to

  * default-to-socket-activated-services.diff: Don't enable any
     services when run without a conffile.

test/verify/check-realms

This demonstrates how to set up FreeIPA to enable two-factor authentication. On RHEL, this is the only supported method, as there is no google-authenticator package. Use HOTP instead of the default TOTP as that's more predictable for an automated test. This has worked for a long time already, but let's make sure it stays that way. Closes cockpit-project#13321

croissanne

nice :)

martinpitt added the needswork label Dec 19, 2019

martinpitt removed the needswork label Dec 19, 2019

martinpitt force-pushed the ipa-2fa branch from cc5b38d to 9eaf774 Compare December 19, 2019 13:24

martinpitt force-pushed the ipa-2fa branch from 9eaf774 to 5e2fc98 Compare December 19, 2019 13:47

martinpitt requested a review from croissanne December 19, 2019 14:43

martinpitt commented Dec 19, 2019

View reviewed changes

test/verify/check-realms Outdated Show resolved Hide resolved

martinpitt force-pushed the ipa-2fa branch from 5e2fc98 to 891ac17 Compare December 19, 2019 16:36

croissanne approved these changes Dec 20, 2019

View reviewed changes

martinpitt merged commit 85c3b16 into cockpit-project:master Dec 20, 2019

martinpitt deleted the ipa-2fa branch December 20, 2019 12:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test: Test OTP 2FA login with FreeIPA #13321

test: Test OTP 2FA login with FreeIPA #13321

martinpitt commented Dec 19, 2019

martinpitt commented Dec 19, 2019

martinpitt commented Dec 19, 2019

martinpitt commented Dec 19, 2019

croissanne left a comment

Reviewers

Assignees

Labels

Projects

Milestone

Development

2 participants

test: Test OTP 2FA login with FreeIPA #13321

test: Test OTP 2FA login with FreeIPA #13321

Conversation

martinpitt commented Dec 19, 2019

martinpitt commented Dec 19, 2019

martinpitt commented Dec 19, 2019

martinpitt commented Dec 19, 2019

croissanne left a comment

Choose a reason for hiding this comment

Reviewers

Assignees

Labels

Projects

Milestone

Development

2 participants