Basic Auth Not Getting Credentials from Client

[btsimon97]

We are running apache httpd 2.4.51 with mod_auth_gssapi 1.6.3 on CentOS Stream 9 and attempting to tie it to our FreeIPA deployment.

When using the Negotiate method, clients joined to FreeIPA are able to auth correctly to apache. When a fallback to basic auth occurs though (such as for external clients or Windows systems which are not joined to FreeIPA), authentication fails, with the exact error message reported in the Apache logs being the one shown below:

[auth_gssapi:error] [pid 8613:tid 8758] [client 172.16.1.2:52886] GSS ERROR In Basic Auth: gss_acquire_cred_with_password() failed: [No credentials were supplied, or the credentials were unavailable or inaccessible (Pre-authentication failed: Invalid argument)]

The section of our Apache config pertaining to GSSAPI is below as well:

    AuthType GSSAPI
    AuthName "Login"
    GssapiBasicAuth On
    GssapiBasicAuthMech krb5
    GssapiNegotiateOnce On
    GssapiLocalName On
    GssapiCredStore keytab:/etc/httpd/conf/httpd.keytab
    GssapiUseSessions On
    Session On
    SessionCookieName gssapi_session path=/;httponly;secure;
    BrowserMatch Windows gssapi-no-negotiate
    Require valid-user

[btsimon97]

We were able to determine that this is being caused by FreeIPA's OTP feature. Turning off OTP allows authentication to succeed. How can we configure mod_gssapi such that it will work properly with FreeIPA's OTP functionality?

[simo5]

The OTP is required on the server side, and mod_auth_gssapi has no way to provide an OTP.
There is no configuration knob I am aware of at the moment.
GSSAPI's ability to deal with initialization from a password is very limited. If there is a way to tell the underlying libkrb5 to not use OTP then it would need to be implemented in libgssapi_krb5 first and then I would be able to set a gssapi name property or similar to suppress use of OTP.

@abbra do you know of any configuration, client side, perhaps in krb5.conf, that could change gssapi's behavior in this case?

[abbra]

There is no such configuration. What I'd like to know is whether OTP is the only method allowed for this user on IPA side or not. If it is the only method, then nothing can be done because using password is not enough, one have to provide a FAST channel and GSSAPI is not able to do so.
If there are multiple methods allowed for the user, e.g. OTP or password, then it might be a fallback issue that I'm planning to address soon.

[btsimon97]

Current FreeIPA configuration for the group of users affected by this is OTP only, as we want to enforce 2FA for applications that this group of users is authenticating in to.

There was mention in #151 about using mod_intercept_form_submit (via mod_authnz_pam) to provide support for something like this. This specific application though is directly running on Apache Web Server and is setup such that we only have usage of Apache's authentication methods to authenticate into the application. Our thoughts were to use mod_intercept_form_submit in conjuction with mod_auth_form, but we are not currently sure how to implement this (or if it is even possible).

[abbra]

Using OTP needs a FAST channel which is not supported for GSSAPI, so this is not going to work at all. The way how IPA Web UI does it is by performing a series of manual kinit calls in the background and then doing an internal redirect to mod_auth_gssapi-handled URI.

Neither mod_intercept_form_submit/nor mod_auth_form were designed for such usecase at all.

[abbra]

If you want to enforce use of OTP to access services protected by mod_auth_gssapi, then you can extend mod_auth_gssapi configuration by forcing presence of authentication indicators. This moves the responsibility to obtain Kerberos ticket with 2FA elsewhere. FreeIPA would set 'otp' authentication indicator for users with native OTP and 'radius' for RADIUS-proxy based one. See https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy.html for more details about Kerberos ticket policies and indicators.

mod_auth_gssapi's README has examples how to define requirements for indicators.

[btsimon97]

Is there more information on how FreeIPA's web UI implementation (which uses the manual kinit calls), works? While not clean we could reimplement a version of that for our application as it may meet our needs.

[abbra]

Sure, you can start with https://pagure.io/freeipa/blob/master/f/ipaserver/rpcserver.py#_978. kinit_armor and kinit_password are utilities provided by ipalib.install.kinit module which is installed on all IPA clients (it is used by IPA installer as well), so if you are using Python for your apps, you can simply lift that code as it is.