MIT Kerberos not applying password expiration upon user creation - kerberos

I'm running MIT Kerberos 1.17-3 on Debian 10 for a new auth system to replace our old Kerberos setup and noticed an odd issue. When creating user principals with kadmin it is not setting a password expiration date, but if I then change the password the expiration date is set. I can add the -pwexpire flag and get it to set the expiration during creation, but I would prefer that not be necessary in case either myself or a coworker forgets to set that flag when creating new users.
Is there a way to force Kerberos to set a password expiration date during the user creation without having to specify -pwexpire? Thanks in advance!
kadmin.local: getpol default
Policy: default
Maximum password life: 90 days 00:00:00 #<---- Max password life set correctly in policy
<snip>
kadmin.local: addprinc test123
NOTICE: no policy specified for test123#example.COM; assigning "default" #<---- default policy being applied during creation
Enter password for principal "test123#example.COM":
Re-enter password for principal "test123#example.COM":
Principal "test123#example.COM" created.
kadmin.local: getprinc test123
Principal: test123#example.COM
Expiration date: [never]
Last password change: Mon Jun 29 11:57:49 MDT 2020
Password expiration date: [never] #<-------------- Password expiration set to "never" after creation
<snip>
Policy: default
kadmin.local: cpw test123
Enter password for principal "test123#example.COM":
Re-enter password for principal "test123#example.COM":
Password for "test123#example.COM" changed.
kadmin.local: getprinc test123
Principal: test123#example.COM
Expiration date: [never]
Last password change: Mon Jun 29 11:58:16 MDT 2020
Password expiration date: Sun Sep 27 11:58:16 MDT 2020 #<--- Expiration updated to policy setting after changing password
<snip>
Policy: default

Related

Authentication Issues (KRB5\GSS)

We are looking to migrate some systems away from MSSQL. We have our first few environments built and currently using LDAP, which is OK but has a good number of flaws.
I followed this link to setup Kreberos\GSS for the most part: https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
Off the bat I got the below error when trying to connect:
psql: error: SSPI continuation error: The specified target is unknown or unreachable
I believe the SPN is setup properly:
setspn -S POSTGRES/server.domain.local domain\service_account
I suspect something is wrong in the keytab file, as there is an extra "" between the server FQDN and domain:
Keytab name: FILE:/opt/pgsql/server.keytab
KVNO Principal
---- --------------------------------------------------------------------------
5 postgres#server.domain.local\#DOMAIN.LOCAL
Server side error:
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres FATAL: GSSAPI authentication failed for user "user#DOMAIN.LOCAL"
2020-12-28 18:37:43.820 EST [64534] user#DOMAIN.LOCAL#postgres DETAIL: Connection matched pg_hba.conf line 95: "host all all 0.0.0.0/0 gss"
I'd appreciate any feedback and thank you!

"550 5.7.1 Relaying denied" sending via Mailgun with msmtp

Has anyone successfully set up msmtp with a Mailgun account? I keep getting "Relaying denied", and msmtp reports that the envelope from is invalid. I have tried every variation of the from address that I can think of, scoured Mailgun's documentation for details on their SMTP parameters, and searched the web for examples, and I've not found anything that differs from my setup (aside from server and account names, of course).
Here is my /etc/msmtprc file,
account default
# The SMTP smarthost
host smtp.mailgun.org
# Use TLS on port 465
port 465
tls on
tls_starttls off
user manul#mail.mydomain.net
password [snip]
from mailgun#mydomain.net
# Syslog logging with facility LOG_MAIL instead of the default LOG_USER
syslog LOG_MAIL
And the msmtp session:
$ echo 'Subject: Grfg' | msmtp -v 'aidalgol#example.net'
loaded system configuration file /etc/msmtprc
ignoring user configuration file /home/me/.msmtprc: No such file or directory
falling back to default account
using account default from /etc/msmtprc
host = smtp.mailgun.org
port = 465
source ip = (not set)
proxy host = (not set)
proxy port = 0
timeout = off
protocol = smtp
domain = localhost
auth = none
user = manul#mail.mydomain.net
password = *
passwordeval = (not set)
ntlmdomain = (not set)
tls = on
tls_starttls = off
tls_trust_file = system
tls_crl_file = (not set)
tls_fingerprint = (not set)
tls_key_file = (not set)
tls_cert_file = (not set)
tls_certcheck = on
tls_min_dh_prime_bits = (not set)
tls_priorities = (not set)
auto_from = off
maildomain = (not set)
from = mailgun#aidalgolland.net
add_missing_from_header = on
add_missing_date_header = on
remove_bcc_headers = on
dsn_notify = (not set)
dsn_return = (not set)
logfile = (not set)
logfile_time_format = (not set)
syslog = LOG_MAIL
aliases = (not set)
reading recipients from the command line
TLS session parameters:
(TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-128-GCM)
TLS certificate information:
Owner:
Common Name: *.mailgun.org
Organization: MAILGUN TECHNOLOGIES\, INC
Organizational unit: MAILGUN TECHNOLOGIES\, INC
Locality: San Francisco
State or Province: California
Country: US
Issuer:
Common Name: Thawte TLS RSA CA G1
Organization: DigiCert Inc
Organizational unit: www.digicert.com
Country: US
Validity:
Activation time: Wed 19 Feb 2020 13:00:00 NZDT
Expiration time: Wed 20 Apr 2022 00:00:00 NZST
Fingerprints:
SHA256: 9E:5F:9B:27:BB:26:14:6F:3E:2F:50:75:FE:BF:64:1C:4B:8D:E0:A6:B7:EA:4F:27:13:05:FD:81:3F:57:52:26
SHA1 (deprecated): 54:36:F6:D1:44:0A:B4:62:F0:94:1B:21:7A:1B:82:5C:DF:FD:FF:57
<-- 220 Mailgun Influx ready
--> EHLO localhost
<-- 250-smtp-out-n17.prod.us-east-1.postgun.com
<-- 250-AUTH PLAIN LOGIN
<-- 250-SIZE 52428800
<-- 250-8BITMIME
<-- 250-ENHANCEDSTATUSCODES
<-- 250-SMTPUTF8
<-- 250 PIPELINING
--> MAIL FROM:<mailgun#myexample.net>
--> RCPT TO:<aidalgol#example.net>
--> DATA
<-- 550 5.7.1 Relaying denied
msmtp: envelope from address mailgun#mydomain.net not accepted by the server
msmtp: server message: 550 5.7.1 Relaying denied
msmtp: could not send mail (account default from /etc/msmtprc)
It turned out to be that I needed to set auth on in the msmtp configuration. The error envelope from address mailgun#mydomain.net not accepted by the server from msmtp was completely wrong.
For other people who got here you'll probably need to go to
https://app.mailgun.com/app/sending/domains/**YOUR-DOMAIN-NAME-HERE/credentials
to get your per-domain credentials as suggested here:
https://documentation.mailgun.com/en/latest/quickstart-sending.html#send-via-api
I diagrammed what to put where in the configuration file along with how to navigate to the setting. This should help make things super clear hopefully.
Note: The grey info-box in the bottom right with the password copy thing I got to by clicking on the green outlined "Reset password" button

Bearer was not authenticated: Signature validation failed

I am using Identity Server 4 to protect my APIs (Implicit Flow Mode) which are accessed by angular application. Every thing is working fine, however at specific period the access token suddenly became invalid even before its expiry.
Configuration:
Here is the Identity Server Startup file:
var identityBuilder = services.AddIdentityServer().AddInMemoryStores().SetTemporarySigningCredential();
identityBuilder.AddInMemoryScopes(identitySrvConfig.GetScopes());
identityBuilder.AddInMemoryClients(identitySrvConfig.GetClients());
Protecting the APIs:
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = identityOptions.Authority,
ScopeName = "userProfile_api",
RequireHttpsMetadata = false
});
Investigation:
The issue was the bearer was not authenticated
Bearer was not authenticated. Failure message: IDX10501: Signature validation failed. Unable to match 'kid': 'e4f3534e5afd70ba74c245fe2e39c724', token
After some investigation, it appears that identity server is generating a new key which was causing the signature validation to fail.
In the log, I can see when the two warning events at end happening, then I see "Repository contains no viable default key" and "a new key should be added to the ring"
Questions
Why would there no be a key at anytime when the key lifetime is almost 3 months even I am using temporary signing (SetTemporarySigningCredential) and I am not restarting the server?
Creating key {a2fffa4a-345b-4f3b-bae7-454d567a1aee} with creation date 2017-03-03 19:15:28Z, activation date 2017-03-03 19:15:28Z, and expiration date 2017-06-01 19:15:28Z.
How can I solve this issue?
Creating a self signing certificate and removing the temporary signing on identity server fixed the issue.
var signingCertificate = new X509Certificate2("ReplaceByCertificatePath, "ReplaceByPasswordCertificate");
var identityBuilder = services.AddIdentityServer().AddInMemoryStores().SetSigningCredential(signingCertificate);
identityBuilder.AddInMemoryScopes(IdentitySrvConfig.GetScopes());
identityBuilder.AddInMemoryClients(IdentitySrvConfig.GetClients());

how can I access the value of a service ticket from kerberos cache?

I'm trying to debug an issue in kerberos configuration. I generated a service ticket using the kgetcred utility. I'd like to access the value of the service ticket so that I can put it into the Authorization header of a request to the protected resource.
I ran the following:
kinit myUser
kgetcred HTTP/myProtectedResource#MY.DOMAIN.COM
I can see the ticket exists by running
$klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: myUser#MY.DOMAIN.COM
Issued Expires Principal
Jan 30 15:37:39 2017 Jan 31 01:37:39 2017 krbtgt/MY.DOMAIN.COM#MY.DOMAIN.COM
Jan 30 16:02:39 2017 Jan 31 01:37:39 2017 HTTP/myProtectedResource#MY.DOMAIN.COM
I had a look inside the /tmp/krb5cc_1000 file, but this seems encrypted of encoded somehow.
How can I get the value of this ticket to put in the Authorization header when making an HTTP request to the protected resource?

LDAP cannot authenticate

I was following this guide to setup an LDAP server on CentOS 6.6: http://www.learnitguide.net/2016/01/configure-openldap-server-on-rhel7.html. I know the guide is for RHEL, but I think the vast majority of steps should be the same. I went through the tutorial and everything seems to work right except for sshing into the server as an LDAP user. As root I am able to su to any LDAP user. getent passwd username returns appropriate results. But every time I try to ssh in as a user I get permission denied and these messages show up in /var/log/secure:
Aug 8 22:13:14 servername sshd[5900]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rhostname user=username
Aug 8 22:13:14 servername sshd[5900]: pam_sss(sshd:auth): received for user username: 6 (Permission denied)
Aug 8 22:13:17 servername sshd[5900]: Failed password for username from rhostIPaddress port 34758 ssh2
I was hoping maybe someone may know of a step that guide left out that would cause this behavior. Thanks.
Turns out the self signed certificate I was using needed to have the IP address as the common name as opposed to the FQDN, not sure why that is but it's working now.
Information that can help others.
In my case this message was a time difference problem between the FreeIPA server and the clients. The command systemctl status sssd -l presented the message (skew clock too great).
This message from the Kerberos authentication server appears if the difference hour in servers is too large (more than three or four minutes).
OS: Ubuntu Server