On to, 16 joulu 2021, Sam Morris wrote:
On Thu, 2021-12-16 at 15:08 +0200, Alexander Bokovoy wrote:
On to, 16 joulu 2021, Sam Morris via FreeIPA-users wrote:
> I was wondering what the purpose of 'ipa user-mod
> --auth-user-type=hardened' was. In the web UI the option is
> labelled
> "Hardened Password (by SPAKE or FAST)".
>
> What I found (by setting KRB5_TRACE=/dev/stderr) was that without
> setting this option, kinit already opportunistically uses SPAKE:
Have you read
https://freeipa.readthedocs.io/en/latest/designs/krb-ticket-policy.html
and
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html
?
They need a bit of update to cover existence of pam_sss_gss.so module
but they give most of details we have so far.
As I understand it this allows tickets with the hardened indicator to
have a longer lifetime, and for services to be configured to require
the presence of an indicator in the service ticket presented by the
user.
And as you say the pam_sss_gss module can also be configured to require
the presence of an indicator before it'll accept the user's ticket.
But I don't see the link with ipa user-mod --auth-user-type=hardened...
in my case it just seems to make it impossible to log in as the user at
all...
For hardened, I think I found an issue. I need to test that but have no
time right now.. Can you file an upstream ticket, please?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
