PrivacyIdea SSH authentication with LDAP Resolver
131 views
Skip to first unread message
CK
Jul 6, 2015, 5:18:11 AM7/6/15
to priva...@googlegroups.com
Hi ! I have a privacy idea server configured on my ubuntu 14.04. I have a little issue with SSH :
--> I can authenticate via SSH successfully when the username passed (when doing ssh user@localhost) is in /etc/passwd.
Now, I configured a LDAP resolver, who seems to be well-configured because it retrieves my users stored in.
But, when I tried to do ssh ldapUser@localhost, it fails and in the audit of the webUI of PI, I have "wrong otp pin" and however I checked that the token is working.
So does the PAM module works with any resolver or JUST with /etc/passwd (unix users) ?
Thanks in advance,
Kind regards,
Karim
Cornelius Kölbel
Jul 6, 2015, 6:27:40 AM7/6/15
to priva...@googlegroups.com
Hi Karim,
No, it works with all kinds of user stores.
But you need to be aware, that the user also needs to be available on
the system, where you are authenticating.
You are jumping into a complex scenario which contains several possible
source for errors.
Always approach a scenario step by step, to reduce the possible error
source in each step.
In your case, the OTP PIN is wrong.
So first you need to assure, that you in fact can authenticate with the
token and with the user.
(Without any PAM-stuff)
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/3281f7c7-6391-4d78-93dc-43b455b9d3be%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
No, it works with all kinds of user stores.
But you need to be aware, that the user also needs to be available on
the system, where you are authenticating.
You are jumping into a complex scenario which contains several possible
source for errors.
Always approach a scenario step by step, to reduce the possible error
source in each step.
In your case, the OTP PIN is wrong.
So first you need to assure, that you in fact can authenticate with the
token and with the user.
(Without any PAM-stuff)
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/3281f7c7-6391-4d78-93dc-43b455b9d3be%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
CK
Jul 6, 2015, 8:46:49 AM7/6/15
to priva...@googlegroups.com
Hi Cornelius ! It's okay, I've resolved my issue, and now I can authenticate on ssh via the ldap resolver ;-)
I had to configure the nsswitch.conf and it works well now !
Kind regards,
Karim
Reply all
Reply to author
Forward
0 new messages