Hi,
i am trying to setup privacyidea to be our 2FA authenticator but am having hard time with the pam setup.
Here is our setup:
- privacyidea installed on a server
it-2fa.ourdomain.de- it-2fa runs with ubu16 xenial
- Privacyidea runs already through apache2 :
https://it-2fa.ourdomain.de- for the authentication, i have krb5 doing it and LDAP as the resolver
- as Example, i created a 2FA Token using a test user's credentials 'it-user-x' + PW which can be found in our ldap user DB. It was succesfully authenticated against the krb5 server.
- the main point to this, is setting up privacyidea to accept OTP, or U2F or any available token for the second factor authentication after doing the first SSH authentication using PAM.
PROBLEM:
- It seem to have a problem authenticating and i have no clue what the log is telling me.
Apr 4 16:30:59 it-2fa sshd[13778]: pam_krb5(sshd:auth): user it-user-x authenticated as
it-u...@OURDOMAIN.DEApr 4 16:30:59 it-2fa sshd: Authenticating it-user-x against
https://it-2fa.ourdomain.deApr 4 16:30:59 16525 sshd: requests > 1.0
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: result: {u'status': True, u'value': False}
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: detail: {u'message': u'wrong otp pin', u'threadid': 140130433734400}
Apr 4 16:30:59 it-2fa sshd[13778]: Failed password for it-user-x from 131.x.x.x port 51616 ssh2
Apr 4 16:31:30 it-2fa sshd[13778]: Connection closed by 131.x.x.x port 51616 [preauth]
my common-auth pam is as follow:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_python.so /lib/security/privacyidea_pam.py url=
https://it-2fa.ourdomain.de nosslverify debug
auth required pam_permit.so
Could you please help me on this??
Best Regards,
Jojo