search

SSSD / sssd

A daemon to manage identity, authentication and authorization for centrally-managed systems.
https://sssd.io
GNU General Public License v3.0
587 stars 236 forks source link

Ask for `password` first when ipa user added with `User authentication types: password` and having passkey mapping for passkey #7519

Open madhuriupadhye opened 1 month ago

madhuriupadhye commented 1 month ago

The following user added in IPA server with User authentication types: password and with passkey mapping also, Password: True. While authenticating, it will first prompt for password but it is asking Passkey auth.

ipa user-mod user1 --user-auth-type=password

Modified user "user1"

User login: user1 First name: user1 Last name: user1 Home directory: /home/user1 Login shell: /bin/sh Principal name: user1@IPA.TEST Principal alias: user1@IPA.TEST Email address: user1@ipa.test UID: 1984800011 GID: 1984800011 User authentication types: password Passkey mapping: passkey:B7LeVAtZMlLZZdfCz5/mw/qcOcuMcexFQQ+bR07lrfs1fXRign3Tc01uAW19UcMBrGK5vATq4jEW1/eKpJEVXg==,MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbu4E87KdohTwpe91F4wFQR1YomcRWEhFWHnFtBp4InchG+fw90NlOksKkv38qBTXOtzUhMDJFAvzaLIWwkktMg== Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True

[root@client ~]# systemctl stop sssd; rm -rf /var/lib/sss/db/*; systemctl start sssd

[root@client ~]# su - ci Last login: Thu Aug 1 18:07:37 UTC 2024 on pts/0 [ci@client ~]$ su - user1 Kerberos TGT will not be granted upon login, user experience will be affected. Insert your passkey device, then press ENTER. Enter PIN: No Kerberos TGT granted as the server does not support this method. Your single-sign on(SSO) experience will be affected. Last login: Thu Aug 1 18:04:04 UTC 2024 on pts/0 Last failed login: Thu Aug 1 18:07:47 UTC 2024 on pts/0 There were 2 failed login attempts since the last successful login. su: warning: cannot change directory to /home/user1: Permission denied -sh: /home/user1/.profile: Permission denied -sh-5.2$ exit logout -sh: /home/user1/.bash_logout: Permission denied [ci@client ~]$ exit logout [root@client ~]# klist Ticket cache: KCM:0 Default principal: admin@IPA.TEST

Valid starting Expires Service principal 08/01/24 18:15:27 08/02/24 17:57:58 HTTP/master.ipa.test@IPA.TEST 08/01/24 18:07:30 08/02/24 17:57:58 krbtgt/IPA.TEST@IPA.TEST

alexey-tikhonov commented 1 month ago

@madhuriupadhye, what is SSSD package version and platform?