From Fedora Project Wiki
(Adding info on how to use the kerberos tickets with OTP on new Fedora Accounts)
(update chrome/chromium policy parameter names)
 
(9 intermediate revisions by 7 users not shown)
Line 1: Line 1:
= Infrastructure kerberos authentication =
= Infrastructure Kerberos authentication =


== Background ==
== Background ==


Starting in November 2016, Fedora Infrastructure began to use kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow kerberos authentication, and disallow the old ssl cert authentication. In March 2021 the authentication backend FAS was replaced with Accounts  
Starting in November 2016, Fedora Infrastructure began to use Kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow Kerberos authentication, and disallow the old SSL cert authentication. In March 2021 the authentication backend FAS was replaced with Accounts  


== Supported Services ==
== Supported Services ==
Line 43: Line 43:
[domain_realm]</pre></blockquote></li>
[domain_realm]</pre></blockquote></li>


<li>Create the file <code>/etc/krb5.conf.d/fedoraproject_org</code> with the following content (or install the <code>fedora-packager</code> package)
<li>Create the file <code>/etc/krb5.conf.d/fedoraproject_org</code> with the following content (or install the <code>fedora-packager-kerberos</code> package)
<blockquote><pre>
<blockquote><pre>
[realms]
[realms]
  FEDORAPROJECT.ORG = {
  FEDORAPROJECT.ORG = {
         kdc = https://id.fedoraproject.org/KdcProxy
         kdc = https://id.fedoraproject.org/KdcProxy
        pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt
  }
  }
[domain_realm]
[domain_realm]
Line 55: Line 56:
{{admon/note|Note|See section '''Debugging problems''' to double sure the configuration}}
{{admon/note|Note|See section '''Debugging problems''' to double sure the configuration}}


<li>With <code>fedora-packager-kerberos</code> package you can run <code>fkinit</code> or <code>fkinit -u yourusername</code>. Alternatively you can do the following steps:</li>
<li><code>kinit <yourfasloginname>@FEDORAPROJECT.ORG</code></li>
<li><code>kinit <yourfasloginname>@FEDORAPROJECT.ORG</code></li>
{{admon/note|Note|Yes, upper-case FEDORAPROJECT.ORG — that's the convention for Kerberos.}}
{{admon/note|Note|Yes, upper-case FEDORAPROJECT.ORG — that's the convention for Kerberos.}}
Line 66: Line 68:
<li> If you are using two-factor authentication (AKA OTP) you need to do init your kerberos ticket with  
<li> If you are using two-factor authentication (AKA OTP) you need to do init your kerberos ticket with  
<blockquote><pre>
<blockquote><pre>
kinit -n @FEDORAPROJECT.ORG -c FILE:armor.ccache
kinit -n @FEDORAPROJECT.ORG -c FILE:${HOME}/armor.ccache
kinit -T FILE:armor.ccache <username>@FEDORAPROJECT.ORG
kinit -T FILE:${HOME}/armor.ccache <username>@FEDORAPROJECT.ORG
</pre></blockquote>
</pre></blockquote>
When prompted for <code>Enter OTP Token Value:</code>, you should actually enter password+OTP.  
When prompted for <code>Enter OTP Token Value:</code>, you should actually enter password+OTP.  
More information on [https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit Fedora Accounts documentation].
More information on [https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit Fedora Accounts documentation].
</li>
</li>
<li>
 




Line 119: Line 121:


</pre>
</pre>
{{admon/note|Note|For Chrome/Chromium > 86 the policy parameter names are `AuthServerAllowlist` and `AuthNegotiateDelegateAllowlist`.}}


== Questions and Answers ==
== Questions and Answers ==


'''Question:''' Is there any particular format for username / domain I need to use?
'''Is there any particular format for username / domain I need to use?'''
 
'''Answer:''' Yes. Your username should be all lower case, and the domain name should be all UPPER CASE. ie, <code>username@FEDORAPROJECT.ORG</code>


'''Question:''' How can I see how long my ticket(s) are valid for?
: Yes. Your username should be all lower case, and the domain name should be all UPPER CASE. ie, <code>username@FEDORAPROJECT.ORG</code>


'''Answer:''' use <code>klist -A</code>
'''How can I see how long my ticket(s) are valid for?'''


'''Question:''' I don't seem to be logged into the koji web interface after this, why not?
: use <code>klist -A</code>


'''Answer:''' Logging into the koji web interface doesn't really get you much of anything, but you can get a valid ticket and then go to https://koji.fedoraproject.org/koji/login in your browser and you will be logged in.
'''I don't seem to be logged into the koji web interface after this, why not?'''


'''Question:''' When I run kinit I get: Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials
: Logging into the koji web interface doesn't really get you much of anything, but you can get a valid ticket and then go to https://koji.fedoraproject.org/koji/login in your browser and you will be logged in.


'''Answer:''' Login to [https://accounts.fedoraproject.org/ Fedora Accounts] and then retry. Your information needs to be synced from Fedora Accounts to the IPA server. Logging into FAS does so.
'''When I run kinit I get <code>Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials</code>'''


'''Question:''' I did that (logged into Fedora Accounts) in the last answer, and it didn't help, I still get the same error message. What's going on?
: Login to [https://accounts.fedoraproject.org/ Fedora Accounts] and then retry. Your information needs to be synced from Fedora Accounts to the IPA server. Logging into FAS does so.


'''Answer:''' For some small number of users there may be some issue with syncing information from Fedora Accounts->ipa. If this happens to you, please file an infrastructure ticket or talk with us on {{fpchat|#fedora-admin}} and we can manually fix things.  
'''I did that (logged into Fedora Accounts) in the last answer, and it didn't help, I still get the same error message. What's going on?'''


'''Question:''' It's not working for me, how can I gather debugging information?
: For some small number of users there may be some issue with syncing information from Fedora Accounts->ipa. If this happens to you, please file an infrastructure ticket or talk with us on {{fpchat|#fedora-admin}} and we can manually fix things.


'''Answer:''' Run the command with <code>KRB5_TRACE=/dev/stdout</code> in front of it and it should print a lot of debugging information.
'''It's not working for me, how can I gather debugging information?'''


'''Question:''' koji and/or fedpkg don't seem to be working for me.
: Run the command with <code>KRB5_TRACE=/dev/stdout</code> in front of it and it should print a lot of debugging information.  


'''Answer:''' Make sure you have upgraded to the versions listed above and also make sure you fold changes from <code>/etc/koji.conf.rpmnew</code> (if you ever modified your <code>/etc/koji.conf</code>) and your <code>~/.koji/config</code>. Note that in normal operation you can just use the stock <code>/etc/koji.conf</code> from the koji package and there is no need for a <code>~/.koji/config</code>. If it still doesn't work also check <code>/etc/rpkg/fedpkg.conf.rpmnew</code> and update your old config if it exists.
'''koji and/or fedpkg don't seem to be working for me.'''


'''Question:''' Where should I report problems or get help?
: Make sure you have upgraded to the versions listed above and also make sure you fold changes from <code>/etc/koji.conf.rpmnew</code> (if you ever modified your <code>/etc/koji.conf</code>) and your <code>~/.koji/config</code>. Note that in normal operation you can just use the stock <code>/etc/koji.conf</code> from the koji package and there is no need for a <code>~/.koji/config</code>. If it still doesn't work also check <code>/etc/rpkg/fedpkg.conf.rpmnew</code> and update your old config if it exists.


'''Answer:''' {{fpchat|#fedora-admin}} on IRC or [https://pagure.io/fedora-infrastructure/issues file a fedora-infrastructure ticket] and we will try and assist you!
'''Where should I report problems or get help? '''


'''Question:''' "kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials"?
: {{fpchat|#fedora-admin}} on IRC or [https://pagure.io/fedora-infrastructure/issues file a fedora-infrastructure ticket] and we will try and assist you!


'''Answer:'''  Try adding "includedir /etc/krb5.conf.d/" as the top line in the /etc/krb5.conf file
'''I get <code>kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials</code>'''


'''Question:''' "kinit: KDC can't fulfill requested option while renewing credentials"?
: Try adding "includedir /etc/krb5.conf.d/" as the top line in the /etc/krb5.conf file


'''Answer:'''  When getting the initial ticket, use kinit -r <secs> to get a renewable ticket. Or add "renew_lifetime = <lifetime>", where <lifetime> is for example 7d, to the [libdefaults] section of /etc/krb5.conf.
'''I get <code>kinit: KDC can't fulfill requested option while renewing credentials</code>'''


'''Question:''' After entering my password I get: Password incorrect while getting initial credentials
: When getting the initial ticket, use kinit -r <secs> to get a renewable ticket. Or add "renew_lifetime = <lifetime>", where <lifetime> is for example 7d, to the [libdefaults] section of /etc/krb5.conf.


'''Answer:''' Please make sure you enter your correct password. If you are sure you entered the correct password, but it doesn't work, please visit the [https://accounts.fedoraproject.org/ Fedora Accounts] and log in and change your password. '''NOTE: Resetting your password does *NOT* update the Kerberos password.''' If you forgot your password, first use the password reset feature and then log in again to Fedora Accounts and use the change password link.
'''After entering my password I get: <code>Password incorrect while getting initial credentials</code>'''


'''Question:''' Using Koji, I get an error "ImportError: Please install python-krbV to use kerberos"
: Please make sure you enter your correct password. If you are sure you entered the correct password, but it doesn't work, please visit the [https://accounts.fedoraproject.org/ Fedora Accounts] and log in and change your password. '''NOTE: Resetting your password does *NOT* update the Kerberos password.''' If you forgot your password, first use the password reset feature and then log in again to Fedora Accounts and use the change password link.


'''Answer:''' Please make sure that in /etc/krb5.conf, under [libdefaults], the option "rdns = false" is set. Note that this might break some non-Fedora krb5 services, but this is required to make GSSAPI work against Fedora services.
'''Using Koji, I get an error <code>ImportError: Please install python-krbV to use kerberos</code>'''


'''Question:''' I'm on a windows machine and I get a pop up window asking me for login and password and no matter what I enter there it doesn't work. Whats going on?
: Please make sure that in /etc/krb5.conf, under [libdefaults], the option "rdns = false" is set. Note that this might break some non-Fedora krb5 services, but this is required to make GSSAPI work against Fedora services.


'''Answer:''' This is windows seeing that you have a kerberos ticket and trying to authenticate as if it was a active directory setup. This will not work at all. When you get a windows authentication pop up, press 'cancel' and you should instead see the fedoraproject login/pass in the web browser page, enter your information here and you should authenticate.
'''I'm on a windows machine and I get a pop up window asking me for login and password and no matter what I enter there it doesn't work. Whats going on?'''


== Debugging problems ==
: This is windows seeing that you have a kerberos ticket and trying to authenticate as if it was a active directory setup. This will not work at all. When you get a windows authentication pop up, press 'cancel' and you should instead see the fedoraproject login/pass in the web browser page, enter your information here and you should authenticate.
 
There is [https://github.com/puiterwijk/KrbDebug/blob/master/KrbDebug a script that can check your configuration] and tell you if there is any common problem. Just clone the repository and run the script.
 
<pre>
$ git clone https://github.com/puiterwijk/KrbDebug.git
$ cd KrbDebug/
$ ./KrbDebug
</pre>


== Extra info for Infrastructure people ==
== Extra info for Infrastructure people ==


To access nagios, you need to use Kerberos as well.
To access nagios, you need to use Kerberos as well.
This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false" and "dns_canonicalize_hostname = false".
* This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false" and "dns_canonicalize_hostname = false".

Latest revision as of 18:29, 11 February 2023

Infrastructure Kerberos authentication

Background

Starting in November 2016, Fedora Infrastructure began to use Kerberos authentication for some services, starting with koji (the Fedora build system). On December 12th 2016, the koji buildsystem will be switched to only allow Kerberos authentication, and disallow the old SSL cert authentication. In March 2021 the authentication backend FAS was replaced with Accounts

Supported Services

  • koji
  • All Fedora Infrastructure ipsilon using applications via GSSAPI

Technical Details

Fedora Infrastructure is using Fedora Accounts (was FAS before), but now it syncs some account information to a pair of FreeIPA servers. Those servers are made available via a web proxy to Fedora contributors. Also, via the ipsilon identity management server and GSSAPI we are able to use Kerberos tickets to authenticate users to any services that use ipsilon.

How to use kerberos auth with Fedora Infrastructure

Command line

  • Install the krb5-workstation package (sudo dnf install krb5-workstation) if you do not have kinit command available.
  • If you are using two-factor authentication (OTP) you will also need the krb5-pkinit package.
  • You can check the Kerberos main configuration file /etc/krb5.conf that it contains stanza includedir /etc/krb5.conf.d/ to sources modules from the directory /etc/krb5.conf.d/. It should be something as following
    includedir /etc/krb5.conf.d/
    
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
      dns_lookup_realm = false
      ticket_lifetime = 24h
      renew_lifetime = 7d
      forwardable = true
      rdns = false
      default_ccache_name = KEYRING:persistent:%{uid}
      dns_canonicalize_hostname = false
    
    [realms]
    
    [domain_realm]
  • Create the file /etc/krb5.conf.d/fedoraproject_org with the following content (or install the fedora-packager-kerberos package)
    [realms]
     FEDORAPROJECT.ORG = {
            kdc = https://id.fedoraproject.org/KdcProxy
            pkinit_anchors = FILE:/etc/pki/ipa/fedoraproject_ipa_ca.crt
     }
    [domain_realm]
     .fedoraproject.org = FEDORAPROJECT.ORG
     fedoraproject.org = FEDORAPROJECT.ORG
    
    Note
    See section Debugging problems to double sure the configuration
  • With fedora-packager-kerberos package you can run fkinit or fkinit -u yourusername. Alternatively you can do the following steps:
  • kinit <yourfasloginname>@FEDORAPROJECT.ORG
  • Note
    Yes, upper-case FEDORAPROJECT.ORG — that's the convention for Kerberos.

    You can set default_realm = FEDORAPROJECT.ORG at libdefaults section to avoid each typing @FEDORAPROJECT.ORG

  • Enter your FAS password
  • Note
    You should now be able to authenticate to supported services (koji and lookaside upload)

    Tickets are valid for 24 hours and can be renewed for 1 week.

    You can renew a existing ticket with kinit -R <username>@FEDORAPROJECT.ORG
  • If you are using two-factor authentication (AKA OTP) you need to do init your kerberos ticket with
    kinit -n @FEDORAPROJECT.ORG -c FILE:${HOME}/armor.ccache
    kinit -T FILE:${HOME}/armor.ccache <username>@FEDORAPROJECT.ORG
    

    When prompted for Enter OTP Token Value:, you should actually enter password+OTP. More information on Fedora Accounts documentation.

  • Store your FAS username (all lower case) in ~/.fedora.upn (This is not actually needed for Kerberos but for other tools that used the Fedora client certificate to determine the FAS username)
  • Note
    You need to do this regularly whenever fedpkg or koji authentication fail. There is no support for these tools to prompt you automatically when the ticket expired.

GUI (gnome/workstation)

  • Open settings -> Online Accounts -> Click on the + to add an account -> Click on "Other" at the end of the list -> Click on "Enterprise login (kerberos)"
  • Enter your FAS name @FEDORAPROJECT.ORG for the principal, e.g. fas@FEDORAPROJECT.ORG.
  • Enter your password when prompted.

Firefox

If you have Firefox 49 or higher and not tweaked any special configuration, you are done. If you have a lower version or want to check:

  • Go to about:config
  • Click the "I accept the risk" button
  • Search for "network.negotiate-auth.trusted-uris"
  • Double-click this option if it's not set to "https://", and set it to "https://"

Chromium/Chrome

For Chrome/Chromium, you need to create a policy file.

  • For Chromium, the directory to put this in is /etc/chromium/policies/managed/ .
  • For Chrome, the directory is /etc/opt/chrome/policies/managed/ (you might have to create this yourself).

In that, create a file (e.g. fedora_kerberos.json), with contents:

{
	"AuthServerWhitelist": "*.fedoraproject.org",
	"AuthNegotiateDelegateWhitelist": "*.fedoraproject.org"
}


For Mac Chrome/Chromium, you need to enter command


	sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthServerWhitelist '.fedoraproject.org'
	sudo defaults write /Library/Preferences/com.google.Chrome.plist AuthNegotiateDelegateWhitelist '.fedoraproject.org'

Note
For Chrome/Chromium > 86 the policy parameter names are AuthServerAllowlist and AuthNegotiateDelegateAllowlist.

Questions and Answers

Is there any particular format for username / domain I need to use?

Yes. Your username should be all lower case, and the domain name should be all UPPER CASE. ie, username@FEDORAPROJECT.ORG

How can I see how long my ticket(s) are valid for?

use klist -A

I don't seem to be logged into the koji web interface after this, why not?

Logging into the koji web interface doesn't really get you much of anything, but you can get a valid ticket and then go to https://koji.fedoraproject.org/koji/login in your browser and you will be logged in.

When I run kinit I get Client 'yourname@FEDORAPROJECT.ORG' not found in Kerberos database while getting initial credentials

Login to Fedora Accounts and then retry. Your information needs to be synced from Fedora Accounts to the IPA server. Logging into FAS does so.

I did that (logged into Fedora Accounts) in the last answer, and it didn't help, I still get the same error message. What's going on?

For some small number of users there may be some issue with syncing information from Fedora Accounts->ipa. If this happens to you, please file an infrastructure ticket or talk with us on #fedora-admin[?] and we can manually fix things.

It's not working for me, how can I gather debugging information?

Run the command with KRB5_TRACE=/dev/stdout in front of it and it should print a lot of debugging information.

koji and/or fedpkg don't seem to be working for me.

Make sure you have upgraded to the versions listed above and also make sure you fold changes from /etc/koji.conf.rpmnew (if you ever modified your /etc/koji.conf) and your ~/.koji/config. Note that in normal operation you can just use the stock /etc/koji.conf from the koji package and there is no need for a ~/.koji/config. If it still doesn't work also check /etc/rpkg/fedpkg.conf.rpmnew and update your old config if it exists.

Where should I report problems or get help?

#fedora-admin[?] on IRC or file a fedora-infrastructure ticket and we will try and assist you!

I get kinit: Cannot find KDC for realm "FEDORAPROJECT.ORG" while getting initial credentials

Try adding "includedir /etc/krb5.conf.d/" as the top line in the /etc/krb5.conf file

I get kinit: KDC can't fulfill requested option while renewing credentials

When getting the initial ticket, use kinit -r <secs> to get a renewable ticket. Or add "renew_lifetime = <lifetime>", where <lifetime> is for example 7d, to the [libdefaults] section of /etc/krb5.conf.

After entering my password I get: Password incorrect while getting initial credentials

Please make sure you enter your correct password. If you are sure you entered the correct password, but it doesn't work, please visit the Fedora Accounts and log in and change your password. NOTE: Resetting your password does *NOT* update the Kerberos password. If you forgot your password, first use the password reset feature and then log in again to Fedora Accounts and use the change password link.

Using Koji, I get an error ImportError: Please install python-krbV to use kerberos

Please make sure that in /etc/krb5.conf, under [libdefaults], the option "rdns = false" is set. Note that this might break some non-Fedora krb5 services, but this is required to make GSSAPI work against Fedora services.

I'm on a windows machine and I get a pop up window asking me for login and password and no matter what I enter there it doesn't work. Whats going on?

This is windows seeing that you have a kerberos ticket and trying to authenticate as if it was a active directory setup. This will not work at all. When you get a windows authentication pop up, press 'cancel' and you should instead see the fedoraproject login/pass in the web browser page, enter your information here and you should authenticate.

Extra info for Infrastructure people

To access nagios, you need to use Kerberos as well.

  • This will require you to change /etc/krb5.conf, and under [libdefaults] add or set "rdns = false" and "dns_canonicalize_hostname = false".