Hello,
I found out that running ipa on rhel8 in the file /etc/krb5.conf.d/freeipa the setting [libdefaults] spake_preauth_groups=edwards25519 prevents ad domain account users from logging in to the ipa server running on rhel8
according to this site it's protection against dictionary attacks https://web.mit.edu/kerberos/krb5-latest/doc/admin/spake.html
commenting those two lines and restarting the sssd service allows the ad domain users to login to the rhel8 systems
however, this means I lose the extra protection against dictionary attacks.
Is there a way to have both ? ( login for ad users on rhel8 and dictionary attack protection )
Cheers Rob
On ma, 02 syys 2019, Rob Verduijn via FreeIPA-users wrote:
Hello,
I found out that running ipa on rhel8 in the file /etc/krb5.conf.d/freeipa the setting [libdefaults] spake_preauth_groups=edwards25519 prevents ad domain account users from logging in to the ipa server running on rhel8
according to this site it's protection against dictionary attacks https://web.mit.edu/kerberos/krb5-latest/doc/admin/spake.html
commenting those two lines and restarting the sssd service allows the ad domain users to login to the rhel8 systems
however, this means I lose the extra protection against dictionary attacks.
Is there a way to have both ? ( login for ad users on rhel8 and dictionary attack protection )
Windows systems do not support SPAKE mechanism, so they should fall back to encrypted timestamp. Question is mostly why the fallback doesn't happen.
Could you please open a bug (against krb5) so that we can investigate?
done https://bugzilla.redhat.com/show_bug.cgi?id=1748072
Rob
Op ma 2 sep. 2019 om 16:35 schreef Alexander Bokovoy abokovoy@redhat.com:
On ma, 02 syys 2019, Rob Verduijn via FreeIPA-users wrote:
Hello,
I found out that running ipa on rhel8 in the file /etc/krb5.conf.d/freeipa the setting [libdefaults] spake_preauth_groups=edwards25519 prevents ad domain account users from logging in to the ipa server running on rhel8
according to this site it's protection against dictionary attacks https://web.mit.edu/kerberos/krb5-latest/doc/admin/spake.html
commenting those two lines and restarting the sssd service allows the ad domain users to login to the rhel8 systems
however, this means I lose the extra protection against dictionary
attacks.
Is there a way to have both ? ( login for ad users on rhel8 and dictionary attack protection )
Windows systems do not support SPAKE mechanism, so they should fall back to encrypted timestamp. Question is mostly why the fallback doesn't happen.
Could you please open a bug (against krb5) so that we can investigate?
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org