RSA key + TOTP authentication problem
64 views
Skip to first unread message
Michał Lewndowski
Jul 11, 2016, 5:08:32 PM7/11/16
to privacyidea
Hello,
I've successfully set up SSH key base authentication with privacyIDEA but I have problem with TOTP auth.
I've been using radius and it's configuration looks like this on privacyIDEA server:
client clientprivacyIDEA {
ipaddr = 192.168.1.123
netmask = 24
secret = lewandowskim
}
On client I've added this line in /etc/pam.d/sshd:
@include otp-auth
and my otp-auth file looks like this:
auth [success=1 default=ignore] pam_radius_auth.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
also my pam_radius_auth.conf is like:
192.168.1.123 lewandowskim 5
And when I try to login I've olny use RSA key and in logs I receive following info:
[INFO][privacyidea.lib.applications.ssh:89] Token u'TOTP0001653E', type u'totp' is not supported bySSH application module
How can I fix it?
Thanks,
Michal
Cornelius Kölbel
Jul 12, 2016, 1:20:26 AM7/12/16
to priva...@googlegroups.com
Hello Michal,
you are given a lot RADIUS configuration, but did you take a look at the
RADIUS log?!
The log from the privacyIDEA tells, that you obviously have attached the
TOTP token the this client machine with the SSH application.
You do not need to do this - or you must not do this.
The "normal" TOTP token does not need to be attached.
1. verify normal authentication (e.g. REST API)
-> take a look at privacyIDEA log
2. verify RADIUS authentication (WITHOUT SSH!) e.g. radlicnt
-> take a loot at RADIUS log
3. If this is all working right, you can check SSH.
-> take a look at PAM log
This is the recommended way to narrow down a problem. ,-)
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/af8b4842-a577-4a1f-aa88-3e0d2ee63484%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
you are given a lot RADIUS configuration, but did you take a look at the
RADIUS log?!
The log from the privacyIDEA tells, that you obviously have attached the
TOTP token the this client machine with the SSH application.
You do not need to do this - or you must not do this.
The "normal" TOTP token does not need to be attached.
1. verify normal authentication (e.g. REST API)
-> take a look at privacyIDEA log
2. verify RADIUS authentication (WITHOUT SSH!) e.g. radlicnt
-> take a loot at RADIUS log
3. If this is all working right, you can check SSH.
-> take a look at PAM log
This is the recommended way to narrow down a problem. ,-)
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/af8b4842-a577-4a1f-aa88-3e0d2ee63484%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Michał Lewndowski
Jul 12, 2016, 4:48:36 AM7/12/16
to privacyidea
I've tested normal authentication only via RSA key and it's work fine.
Accually I must attach some application because in other way privacyIDEA don't allow me to attach machine to TOTP token.
I've check radius log and on privacyIDEA server it receive some thing like this:
Error: Failed binding to authentication address * port 1812: Address already in use
Error: /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0 port 1812
Error: Ignoring request to authentication address * port 1812 from unknown client 192.168.43.96 port 49567
I'll also attach my radius server configuration.
Michał Lewndowski
Jul 12, 2016, 7:15:19 AM7/12/16
to privacyidea
I also forgot to mention that I'm using Ubuntu 14.04.
Cornelius Kölbel
Jul 12, 2016, 8:59:43 AM7/12/16
to priva...@googlegroups.com
Do not attach TOTP to a machine. There is no sense in doing this.
FreeRADIUS sometimes does not stop correctly. So you first need to kill
the other FreeRADIUS. Simple as that.
There is only FreeRADIUS listeing on port 1812.
Kind regards
Cornelius
FreeRADIUS sometimes does not stop correctly. So you first need to kill
the other FreeRADIUS. Simple as that.
There is only FreeRADIUS listeing on port 1812.
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/802e43ea-545a-4d62-bafb-075840f8583a%40googlegroups.com.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages