Description
Authentication testing.
Setup
- Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
- Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)
How to test
User
Prerequisities
To test authentication, we need to create a user first.
To create a user, kinit (or log in) as the admin user and run:
# ipa user-add --first=User --last=One user1 ------------------ Added user "user1" ------------------ User login: user1 First name: User Last name: One Full name: User One Display name: User One Initials: UO Home directory: /home/user1 GECOS field: user1 Login shell: /bin/sh Kerberos principal: user1@IPA.EXAMPLE.COM UID: 197600003
Then assign the initial password to the user.
# ipa passwd user1 Password: Enter Password again to verify: ------------------------------------------ Changed password for "user1@IPA.EXAMPLE.COM" ------------------------------------------
A user1 will now be available, although its password must be changed at the first login.
NOTE: ipa user-add does not create a home directory, so you may need to create it to test a user login later. pam_mkhomedir can also be configured to aid in automatic creation of local home directories.
Password
Password Change Required - First kinit:
When a user is created, or when an administrator resets a user password, a password change is required for security reasons. The user can change its password by running kinit. If a password needs to be changed, kinit will automatically invoke kpasswd to perform a password change on the fly.
In the shell run:
# kinit user1 Password for user1@IPA.EXAMPLE.COM: Password expired. You must change it now. Enter new password: Enter it again:
The passwords will not be shown, the terminal will not output any character. You should use a password that meets the password policies or the password change may fail. A valid test password is 'Test1234'
NOTE: Now you have a TGT for user1, if you need to perform administration tasks you will need to kinit as admin again.
Password Doesn't Meet Policy Criteria:
Check password policies by trying to change the password for user1 and use a very short password like 'pwd':
# kpasswd user1 Password for user1@IPA.EXAMPLE.COM: Enter new password: Enter it again: Password change rejected: Password change failed Err6: Password too short.
Verify that you get the error above.
Password Meets Policy Criteria:
Try again to change your password and use a password like 'freeipa1' to verify that it allows you to change the password if it is longer than 8 chars.
# kpasswd user1 Password for user1@IPA.EXAMPLE.COM: Enter new password: Enter it again: Password changed.
SSH Login
Password based:
Once you have a valid user with a valid password, test it can login using ssh.
# ssh user1@localhost Password: Could not chdir to home directory /home/user1: No such file or directory
NOTE: You will get the home directory warning if you have not created a home directory for the user. But the user will still be logged in.
SSO Login:
Now log out and try again after a kinit:
# kinit user1 Password for user1@IPA.EXAMPLE.COM:
You should be logged in without being asked for a password by ssh.
# ssh user1@server.ipa.example.com Last login: Tue Feb 8 12:59:44 2011 from server.ipa.example.com >
Additional authentication tests
Invalid Password:
Test that the system properly behaves wrt wrong passwords.
Remove any cached credentials
# kdestroy
Try to login via ssh and use the wrong password:
# ssh user1@server.ipa.example.com Password: Password: Password: user1@server.ipa.example.com's password: Permission denied, please try again. user1@server.ipa.example.com's password: Permission denied, please try again. user1@server.ipa.example.com's password: Received disconnect from 192.168.122.22: 2: Too many authentication failures for user1
Account lockout:
By default a user can fail to authenticate only a few times. If a user fails to authenticate more times than the policy allows then the account is temporarily locked. (defaults should be 10 attempts and lock time 10min.)
Run kinit and provide a wrong password until the KDC refuses to give you a try:
# kinit user1 Password for user1@IPA.EXAMPLE.COM: kinit: Password incorrect while getting initial credentials . . . # kinit user1 kinit: Clients credentials have been revoked while getting initial credentials
Once this happens, try again with the right password and make sure you are still denied a ticket. Then wait for the lock timeout and try again with the right password. Make sure you get credentials now.
If you want to see details about the lockout you can show the user details with the --all switch (with admin user credentials).
The attribute krbloginfailedcount will show the number of failed attempts. The attribute krblastfailedauth containes the date (in UTC) of the last failed account. The account will be unlocked 10 minutes after this date.
# ipa user-show user1 --all dn: uid=user1,cn=users,cn=accounts,dc=ipa,dc=example,dc=com User login: user1 First name: User Last name: One Full name: User One Display name: User One Initials: UO Home directory: /home/user1 GECOS field: user1 Login shell: /bin/sh Kerberos principal: user1@IPA.EXAMPLE.COM UID: 197600003 GID: 197600003 Account disabled: False Member of groups: ipausers ipauniqueid: f52859a6-339f-11e0-896a-5254009ccfc2 krblastfailedauth: 20110208202243Z krblastpwdchange: 20110208175427Z krblastsuccessfulauth: 20110208193126Z krbloginfailedcount: 10 krbpasswordexpiration: 20110509175427Z krbpwdpolicyreference: cn=global_policy,cn=IPA.EXAMPLE.COM,cn=kerberos,dc=ipa,dc=example,dc=com mepmanagedentry: cn=user1,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com objectclass: top, person, organizationalperson, inetorgperson, inetuser, posixaccount, krbprincipalaux, krbticketpolicyaux, ipaobject, mepOriginEntry
After you successfully logged in the krbloginfailedcount attribute should be 0, and krblastsuccessfulauth should be greater than krblastfailedauth
Graphical Login
Let's test a GDM login.
Test on the server or on a client. To make sure GDM is properly set up to accept freeipa login I suggest running
# init 3; sleep 2; init 5
In a root shell after ipa-client-install (or ipa-server-install) completes sucessfully.
When using freeipa logins for the first time, you may have to select "other.." from the user selection list in GDM in order to enter a Freeipa user name.
Enter your password and you should get into the Gnome Shell.
Password Doesn't Meet Policy Criteria:
If the user is brand new or after an administrative password reset, at login the user should be asked to change the password.
Let's reset a user's password to test this scenario.
# ipa passwd psmith
set something simple like freeipa123
Now go back to the GDM login screen an try to login. After the password is entered the user is asked to provide a new password, claiming the password is expired.
The GDM prompt may ask you to re-enter your valid password as the first thing, so check carefully what it is asking before entering new passwords.
Try to change to a simple password like 'password'.
GDM should show messages that the password is not strong enough and refuse your attempts, ultimately bringing you back to the main login screen.
Password Meets Policy Criteria:
Now try again using a good password.
To make sure the password change is accepted use a password like: 'T3s7Pwd1'
No Password Change Required:
Now logout from the gnome session, and log back in with the new password to make sure everything has worked successfully during the password change.
Screen Lock and Unlock - KRB Ticket Exists:
When you are logged into the desktop, a kerberos credential cache is generated for you.
Run klist to show it:
$ klist Ticket cache: FILE:/tmp/krb5cc_197600003_HSvKtw Default principal: user1@IPA.EXAMPLE.COM
Valid starting Expires Service principal 02/10/11 09:49:34 02/11/11 09:49:34 krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM renew until 02/11/11 09:49:37
Now, lock the screen with CTRL+ALT+L
And unlock the screensaver using the user password.
Run klist again:
$ klist Ticket cache: FILE:/tmp/krb5cc_197600003_HSvKtw Default principal: user1@IPA.EXAMPLE.COM
Valid starting Expires Service principal 02/10/11 10:00:02 02/11/11 10:00:02 krbtgt/IPA.EXAMPLE.COM@IPA.EXAMPLE.COM
renew until 02/11/11 10:00:05
Verify that the Dates have changed meaning the krb TGT has been refreshed when the password was provided.
Expected Results
All the test steps should end with the specified results.