Hi. I enabled 2FA and now I cannot get a kerberos ticket and I cannot log onto Fedora Magazine to schedule tomorrow's article for publication. I'm following the directions at https://docs.fedoraproject.org/en-US/fedora-accounts/user/#pkinit. But all I get is kinit: Preauthentication failed while getting initial credentials.
kinit: Preauthentication failed while getting initial credentials
If the easiest thing to do for now is to disable 2FA, then I am OK with that. The interface will not let me do so.
No big hurry. Thanks.
Try and install 'fedora-packager-kerberos' and use 'fkinit' does that work?
'fedora-package-kerberos' was already installed. 'fkinit' is generating the same error.
[/home/gregory]$ fkinit -u glb Enter your password and OTP concatenated. (Ignore that the prompt is for only the token) Enter OTP Token Value: kinit: Preauthentication failed while getting initial credentials
I tried entering my passphrase first and just entering the OTP. Either way it fails immediately with the error shown above. I can, however, log onto https://accounts.fedoraproject.org/ which allows direct entry of both on the webform. So I'm sure I'm using the right passphrase and OTP.
Thanks.
Can you attach the output of:
KRB5_TRACE=/dev/stdout fkinit -u glb
Sure.
[/home/gregory]$ KRB5_TRACE=/dev/stdout fkinit -u glb [48753] 1626235127.712436: Getting initial credentials for @FEDORAPROJECT.ORG [48753] 1626235127.712438: Sending unauthenticated request [48753] 1626235127.712439: Sending request (223 bytes) to FEDORAPROJECT.ORG [48753] 1626235127.712440: Resolving hostname id.fedoraproject.org [48753] 1626235128.062500: TLS certificate name matched "id.fedoraproject.org" [48753] 1626235128.062501: Sending HTTPS request to https 152.19.134.142:443 [48753] 1626235128.062502: Received answer (346 bytes) from https 152.19.134.142:443 [48753] 1626235128.062503: Terminating TCP connection to https 152.19.134.142:443 [48753] 1626235128.062504: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [48753] 1626235128.062505: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [48753] 1626235128.062506: Response was from primary KDC [48753] 1626235128.062507: Received error from KDC: -1765328359/Additional pre-authentication required [48753] 1626235128.062510: Preauthenticating using KDC method data [48753] 1626235128.062511: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-ETYPE-INFO2 (19), PA-PKINIT-KX (147), PA-ENC-TIMESTAMP (2), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133) [48753] 1626235128.062512: Selected etype info: etype aes256-cts, salt "FEDORAPROJECT.ORGWELLKNOWNANONYMOUS", params "" [48753] 1626235128.062513: Received cookie: MIT [48753] 1626235128.062514: Preauth module pkinit (147) (info) returned: 0/Success [48753] 1626235128.062515: PKINIT client received freshness token from KDC [48753] 1626235128.062516: Preauth module pkinit (150) (info) returned: 0/Success [48753] 1626235128.062517: PKINIT loading CA certs and CRLs from FILE [48753] 1626235128.062518: PKINIT client computed kdc-req-body checksum 9/99B5EBC725FFA5FC7C4069A3C19930AB82C08C90 [48753] 1626235128.062520: PKINIT client making DH request [48753] 1626235129.215831: Preauth module pkinit (16) (real) returned: 0/Success [48753] 1626235129.215832: Produced preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16) [48753] 1626235129.215833: Sending request (1435 bytes) to FEDORAPROJECT.ORG [48753] 1626235129.215834: Resolving hostname id.fedoraproject.org [48753] 1626235129.215835: TLS certificate name matched "id.fedoraproject.org" [48753] 1626235129.215836: Sending HTTPS request to https 38.145.60.20:443 [48753] 1626235129.215837: Received answer (2855 bytes) from https 38.145.60.20:443 [48753] 1626235129.215838: Terminating TCP connection to https 38.145.60.20:443 [48753] 1626235129.215839: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [48753] 1626235129.215840: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [48753] 1626235129.215841: Response was from primary KDC [48753] 1626235129.215842: Processing preauth types: PA-PK-AS-REP (17), PA-PKINIT-KX (147) [48753] 1626235129.215843: Preauth module pkinit (147) (info) returned: 0/Success [48753] 1626235129.215844: PKINIT client verified DH reply [48753] 1626235129.215845: PKINIT client found id-pkinit-san in KDC cert: krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG [48753] 1626235129.215846: PKINIT client matched KDC principal krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG against id-pkinit-san; no EKU check required [48753] 1626235129.215847: PKINIT client used KDF 2B06010502030602 to compute reply key aes256-cts/85EE [48753] 1626235129.215848: Preauth module pkinit (17) (real) returned: 0/Success [48753] 1626235129.215849: Produced preauth for next request: (empty) [48753] 1626235129.215850: AS key determined by preauth: aes256-cts/85EE [48753] 1626235129.215851: Decrypted AS reply; session key is: aes256-cts/31AE [48753] 1626235129.215852: FAST negotiation: available [48753] 1626235129.215853: Initializing FILE:/tmp/tmp.kmo1NP1Ljc with default princ WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS [48753] 1626235129.215854: Storing config in FILE:/tmp/tmp.kmo1NP1Ljc for : start_realm: FEDORAPROJECT.ORG [48753] 1626235129.215855: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/start_realm@X-CACHECONF: in FILE:/tmp/tmp.kmo1NP1Ljc [48753] 1626235129.215856: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG in FILE:/tmp/tmp.kmo1NP1Ljc [48753] 1626235129.215857: Storing config in FILE:/tmp/tmp.kmo1NP1Ljc for krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG: fast_avail: yes [48753] 1626235129.215858: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: in FILE:/tmp/tmp.kmo1NP1Ljc [48753] 1626235129.215859: Storing config in FILE:/tmp/tmp.kmo1NP1Ljc for krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG: pa_type: 16 [48753] 1626235129.215860: Storing WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/pa_type/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: in FILE:/tmp/tmp.kmo1NP1Ljc Enter your password and OTP concatenated. (Ignore that the prompt is for only the token) [48754] 1626235129.492577: Matching glb@FEDORAPROJECT.ORG in collection with result: -1765328243/Can't find client principal glb@FEDORAPROJECT.ORG in cache collection [48754] 1626235129.492578: Getting initial credentials for glb@FEDORAPROJECT.ORG [48754] 1626235129.492579: FAST armor ccache: FILE:/tmp/tmp.kmo1NP1Ljc [48754] 1626235129.492580: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/fast_avail/krbtgt\/FEDORAPROJECT.ORG\@FEDORAPROJECT.ORG@X-CACHECONF: from FILE:/tmp/tmp.kmo1NP1Ljc with result: 0/Success [48754] 1626235129.492581: Read config in FILE:/tmp/tmp.kmo1NP1Ljc for krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG: fast_avail: yes [48754] 1626235129.492582: Using FAST due to armor ccache negotiation result [48754] 1626235129.492583: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG using ccache FILE:/tmp/tmp.kmo1NP1Ljc [48754] 1626235129.492584: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krb5_ccache_conf_data/start_realm@X-CACHECONF: from FILE:/tmp/tmp.kmo1NP1Ljc with result: 0/Success [48754] 1626235129.492585: Read config in FILE:/tmp/tmp.kmo1NP1Ljc for : start_realm: FEDORAPROJECT.ORG [48754] 1626235129.492586: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG from FILE:/tmp/tmp.kmo1NP1Ljc with result: 0/Success [48754] 1626235129.492587: Armor ccache sesion key: aes256-cts/31AE [48754] 1626235129.492589: Creating authenticator for WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG, seqnum 0, subkey aes256-cts/7758, session key aes256-cts/31AE [48754] 1626235129.492591: FAST armor key: aes256-cts/0BCC [48754] 1626235129.492593: Sending unauthenticated request [48754] 1626235129.492594: Encoding request body and padata into FAST request [48754] 1626235129.492595: Sending request (1013 bytes) to FEDORAPROJECT.ORG [48754] 1626235129.492596: Resolving hostname id.fedoraproject.org [48754] 1626235129.492597: TLS certificate name matched "id.fedoraproject.org" [48754] 1626235129.492598: Sending HTTPS request to https 67.219.144.68:443 [48754] 1626235129.492599: Received answer (599 bytes) from https 67.219.144.68:443 [48754] 1626235129.492600: Terminating TCP connection to https 67.219.144.68:443 [48754] 1626235129.492601: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [48754] 1626235129.492602: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [48754] 1626235129.492603: Response was from primary KDC [48754] 1626235129.492604: Received error from KDC: -1765328359/Additional pre-authentication required [48754] 1626235129.492605: Decoding FAST response [48754] 1626235129.492608: Preauthenticating using KDC method data [48754] 1626235129.492609: Processing preauth types: PA-PK-AS-REQ (16), PA-FX-FAST (136), PA-PKINIT-KX (147), PA-OTP-CHALLENGE (141), PA_AS_FRESHNESS (150), PA-FX-COOKIE (133), PA-FX-ERROR (137) [48754] 1626235129.492610: Received cookie: MIT [48754] 1626235129.492611: PKINIT client has no configured identity; giving up [48754] 1626235129.492612: Preauth module pkinit (147) (info) returned: 0/Success [48754] 1626235129.492613: PKINIT client received freshness token from KDC [48754] 1626235129.492614: Preauth module pkinit (150) (info) returned: 0/Success [48754] 1626235129.492615: PKINIT client has no configured identity; giving up [48754] 1626235129.492616: Preauth module pkinit (16) (real) returned: 22/Invalid argument Enter OTP Token Value: [48754] 1626235139.616689: Preauth module otp (141) (real) returned: 0/Success [48754] 1626235139.616690: Produced preauth for next request: PA-FX-COOKIE (133), PA-OTP-REQUEST (142) [48754] 1626235139.616691: Encoding request body and padata into FAST request [48754] 1626235139.616692: Sending request (1157 bytes) to FEDORAPROJECT.ORG [48754] 1626235139.616693: Resolving hostname id.fedoraproject.org [48754] 1626235139.616694: TLS certificate name matched "id.fedoraproject.org" [48754] 1626235139.616695: Sending HTTPS request to https 8.43.85.67:443 [48754] 1626235140.027698: Received answer (599 bytes) from https 8.43.85.67:443 [48754] 1626235140.027699: Terminating TCP connection to https 8.43.85.67:443 [48754] 1626235140.027700: Sending DNS URI query for _kerberos.FEDORAPROJECT.ORG. [48754] 1626235140.027701: URI answer: 10 1 "krb5srv:m:kkdcp:https://id.fedoraproject.org/KdcProxy/" [48754] 1626235140.027702: Response was from primary KDC [48754] 1626235140.027703: Received error from KDC: -1765328360/Preauthentication failed [48754] 1626235140.027704: Decoding FAST response kinit: Preauthentication failed while getting initial credentials [/home/gregory]$
Metadata Update from @humaton: - Issue tagged with: low-gain, low-trouble, ops
Metadata Update from @mohanboddu: - Issue untagged with: low-gain, low-trouble - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble
"I tried entering my passphrase first and just entering the OTP"
Did you enter your password and otp concatenated? ie, if you password is 'foo' and your otp is 123456, enter 'foo123456' in the prompt.
"I tried entering my passphrase first and just entering the OTP" Did you enter your password and otp concatenated? ie, if you password is 'foo' and your otp is 123456, enter 'foo123456' in the prompt.
No, I did not try that.
Doing it that way, it seems to work now! And I can log onto Fedora Magazine.
Sorry, I must have missed that in the instructions.
Thanks! I guess this issue can be closed.
Edit: I just looked back at the instructions. I get it now. I was expecting two prompts. Sorry about the confussion.
Edit2: IMHO, I think the verbiage in the documentation could use a little improvement. "Enter your password fist ..." implies pressing the "enter" key directly after one inputs their password. I think "Type your password first ..." would be more appropriate if that is what is meant.
Yeah, I could see how it could be confusing. ;(
Can you suggest the better wording over at https://pagure.io/fedora-packager/ ?
Thanks!
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.