pam Module fails to authenticate against server?
482 views
Skip to first unread message
iamo...@gmail.com
Apr 4, 2017, 10:52:04 AM4/4/17
to privacyidea
Hi,
i am trying to setup privacyidea to be our 2FA authenticator but am having hard time with the pam setup.
Here is our setup:
- privacyidea installed on a server it-2fa.ourdomain.de
- it-2fa runs with ubu16 xenial
- Privacyidea runs already through apache2 : https://it-2fa.ourdomain.de
- for the authentication, i have krb5 doing it and LDAP as the resolver
- as Example, i created a 2FA Token using a test user's credentials 'it-user-x' + PW which can be found in our ldap user DB. It was succesfully authenticated against the krb5 server.
- the main point to this, is setting up privacyidea to accept OTP, or U2F or any available token for the second factor authentication after doing the first SSH authentication using PAM.
PROBLEM:
- It seem to have a problem authenticating and i have no clue what the log is telling me.
Apr 4 16:30:59 it-2fa sshd[13778]: pam_krb5(sshd:auth): user it-user-x authenticated as it-u...@OURDOMAIN.DE
Apr 4 16:30:59 it-2fa sshd: Authenticating it-user-x against https://it-2fa.ourdomain.de
Apr 4 16:30:59 16525 sshd: requests > 1.0
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: result: {u'status': True, u'value': False}
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: detail: {u'message': u'wrong otp pin', u'threadid': 140130433734400}
Apr 4 16:30:59 it-2fa sshd[13778]: Failed password for it-user-x from 131.x.x.x port 51616 ssh2
Apr 4 16:31:30 it-2fa sshd[13778]: Connection closed by 131.x.x.x port 51616 [preauth]
my common-auth pam is as follow:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_python.so /lib/security/privacyidea_pam.py url=https://it-2fa.ourdomain.de nosslverify debug
auth required pam_permit.so
Could you please help me on this??
Best Regards,
Jojo
i am trying to setup privacyidea to be our 2FA authenticator but am having hard time with the pam setup.
Here is our setup:
- privacyidea installed on a server it-2fa.ourdomain.de
- it-2fa runs with ubu16 xenial
- Privacyidea runs already through apache2 : https://it-2fa.ourdomain.de
- for the authentication, i have krb5 doing it and LDAP as the resolver
- as Example, i created a 2FA Token using a test user's credentials 'it-user-x' + PW which can be found in our ldap user DB. It was succesfully authenticated against the krb5 server.
- the main point to this, is setting up privacyidea to accept OTP, or U2F or any available token for the second factor authentication after doing the first SSH authentication using PAM.
PROBLEM:
- It seem to have a problem authenticating and i have no clue what the log is telling me.
Apr 4 16:30:59 it-2fa sshd[13778]: pam_krb5(sshd:auth): user it-user-x authenticated as it-u...@OURDOMAIN.DE
Apr 4 16:30:59 it-2fa sshd: Authenticating it-user-x against https://it-2fa.ourdomain.de
Apr 4 16:30:59 16525 sshd: requests > 1.0
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: result: {u'status': True, u'value': False}
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: detail: {u'message': u'wrong otp pin', u'threadid': 140130433734400}
Apr 4 16:30:59 it-2fa sshd[13778]: Failed password for it-user-x from 131.x.x.x port 51616 ssh2
Apr 4 16:31:30 it-2fa sshd[13778]: Connection closed by 131.x.x.x port 51616 [preauth]
my common-auth pam is as follow:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_python.so /lib/security/privacyidea_pam.py url=https://it-2fa.ourdomain.de nosslverify debug
auth required pam_permit.so
Could you please help me on this??
Best Regards,
Jojo
iamo...@gmail.com
Apr 5, 2017, 6:30:41 AM4/5/17
to privacyidea
Hi,
ive check the OTP within the testOTP and it authenticate successfully (see attached). Am I missing something?? Ive changed the line to:
auth requisite pam_python.so /lib/security/privacyidea_pam.py url=https://it-2fa.ourdomain.de nosslverify debug
yet still have the same error in the /var/log/auth.log :-(
Regards,
Jojo
ive check the OTP within the testOTP and it authenticate successfully (see attached). Am I missing something?? Ive changed the line to:
auth requisite pam_python.so /lib/security/privacyidea_pam.py url=https://it-2fa.ourdomain.de nosslverify debug
yet still have the same error in the /var/log/auth.log :-(
Regards,
Jojo
Message has been deleted
iamo...@gmail.com
Apr 5, 2017, 7:35:13 AM4/5/17
to privacyidea
here is another log. It seems to see the serial of the token but does
not authenticate? When I try it on the Webgui OTP test button it
authenticate successfully.
Apr 5 12:37:08 it-2fa sshd: requests > 1.0
Apr 5 12:37:08 it-2fa sshd: privacyidea_pam: result: {u'status': True, u'value': False}
Apr 5 12:37:08 it-2fa sshd: privacyidea_pam: detail: {u'message': u'wrong otp value', u'type': u'totp', u'serial': u'TOTP0001D001', u'otplen': 6, u'threadid': 140671260854016}
Apr 5 12:37:08 it-2fa sshd[4271]: error: PAM: Authentication failure for admin2fa from 131.x.x.x
Apr 5 12:37:08 it-2fa sshd[4271]: Postponed keyboard-interactive for admin2fa from 131.x.x.x port 56632 ssh2 [preauth]
Apr 5 12:37:08 it-2fa sshd: requests > 1.0
Apr 5 12:37:08 it-2fa sshd: privacyidea_pam: result: {u'status': True, u'value': False}
Apr 5 12:37:08 it-2fa sshd: privacyidea_pam: detail: {u'message': u'wrong otp value', u'type': u'totp', u'serial': u'TOTP0001D001', u'otplen': 6, u'threadid': 140671260854016}
Apr 5 12:37:08 it-2fa sshd[4271]: error: PAM: Authentication failure for admin2fa from 131.x.x.x
Apr 5 12:37:08 it-2fa sshd[4271]: Postponed keyboard-interactive for admin2fa from 131.x.x.x port 56632 ssh2 [preauth]
iamo...@gmail.com
Apr 5, 2017, 9:04:28 AM4/5/17
to privacyidea
Sorry for flooding, i got it working. I really forgot the PIN is also to be typed! Before i set the PIN as 'test' and thats the reason for the failed wrong OTP output in the logs. Now, i set no password and it works!
Another thing to be implemented is this scenario:
- user-x has 2 tokens (totp and u2f)
- the 2fa should be used when ssh-ing to a machine.
- example: ssh use...@machine.domain.de
- the PAM plugin should be able to select what token is to be used after the 1st authentication. so the flow would be username+password -> select token to be used (since user has 2 tokens) -> authenticate using selected token -> session.
Is this possible with the PAM plugin??
Thanks so much in advance!
-Jojo
Another thing to be implemented is this scenario:
- user-x has 2 tokens (totp and u2f)
- the 2fa should be used when ssh-ing to a machine.
- example: ssh use...@machine.domain.de
- the PAM plugin should be able to select what token is to be used after the 1st authentication. so the flow would be username+password -> select token to be used (since user has 2 tokens) -> authenticate using selected token -> session.
Is this possible with the PAM plugin??
Thanks so much in advance!
-Jojo
Cornelius Kölbel
Apr 6, 2017, 12:11:45 PM4/6/17
to privacyidea
you can not use the U2F token with privacyIDEA to do a ssh login.
If the user has several tokens, like HOTP or TOTP, the user simple **uses** one of his tokens, and privacyIDEA will realize, which one it was.
Message has been deleted
iamo...@gmail.com
Apr 6, 2017, 6:50:41 PM4/6/17
to privacyidea
It would be great if the PAM Plugin could also handle U2F token
authentications. In my case, there should be other tokens available
aside from TOTP/HOTP like U2F, eMail, or SMS. Ive tried two from the
list (TOTP, SMS) but it always prompt the first "Your OTP : ". It would
be proper if there would be a handling if there are multiple tokens for
the authenticating user. I think that would be the option corresponding
to challenge-response under the policy authentication. Additionally, is
it posible to auto-enroll a default token though settings/policy/event
handlers, lets say an email token, if the user authenticates against the
privacyidea server WebUI for the first time and has no tokens
available? The reason for this is that if the user's PW gets compromised
and be used by the MITM to log into the privacyidea server using only
credentials/userstore accnt+PW then creates another token or changes
current tokens, then the whole 2FA Infrastructure or Security Flow of
the Organization will also be not that effective. I suppose it would
also really be beneficial if the privacyidea server itself has a 2FA
mechanism for user authentication using the WebUI.
Or do you have an implementation for this?
Best regards,
Jojo Santos
Or do you have an implementation for this?
Best regards,
Jojo Santos
Jochen Hein
Apr 7, 2017, 12:23:23 AM4/7/17
to iamo...@gmail.com, privacyidea
iamo...@gmail.com writes:
> It would be great if the PAM Plugin could also handle U2F token
> authentications.
There is a (small) pam-u2f module from yubico:
> It would be great if the PAM Plugin could also handle U2F token
> authentications.
https://github.com/Yubico/pam-u2f
Not integrated into privacyidea, but it might give a hint how that could
be implemented.
> I suppose it would also
> really be beneficial if the privacyidea server itself has a 2FA mechanism
> for user authentication using the WebUI.
'privacyIDEA'. I use that for my admin realm (but not with U2F tokens).
Jochen
--
This space is intentionally left blank.
cornelius.koelbel
Apr 7, 2017, 2:41:31 AM4/7/17
to privacyidea
You are mixing things up.
"Your OTP:" is a prompt you c...@ruhrverband.de configure in the PAM module.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: iamo...@gmail.com
Datum: 07.04.17 00:47 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: [privacyidea] Re: pam Module fails to authenticate against server?
It would be great if the PAM Plugin could also handle U2F token authentications. In my case, there should be other tokens available aside from TOTP/HOTP like U2F, eMail, or SMS. Ive tried two from the list (TOTP, SMS) but it always prompt the first "Your OTP : ". It would be proper if there would be a handling if there are multiple tokens for the authenticating user. I think that would be the option corresponding to challenge-response under the policy authentication. Additionally, is it posible to auto-enroll a default token though settings/policy/event handlers, lets say an email token, if the user authenticates against the privacyidea server WebUI for the first time and has no tokens available. The reason for this is that if the user's PW gets compromised and be used by the MITM to log into the privacyidea server using only credentials/userstore accnt+PW then creates another token or changes current tokens, then the whole 2FA Infrastructure or Security Flow of the Organization will also be not that effective. I suppose it would also really be beneficial if the privacyidea server itself has a 2FA mechanism for user authentication using the WebUI.
Or do you have an implementation for this?
Best regards,
Jojo Santos
On Thursday, April 6, 2017 at 6:11:45 PM UTC+2, Cornelius Kölbel wrote:
you can not use the U2F token with privacyIDEA to do a ssh login.If the user has several tokens, like HOTP or TOTP, the user simple **uses** one of his tokens, and privacyIDEA will realize, which one it was.
Am Mittwoch, 5. April 2017 15:04:28 UTC+2 schrieb iamo...@gmail.com:Sorry for flooding, i got it working. I really forgot the PIN is also to be typed! Before i set the PIN as 'test' and thats the reason for the failed wrong OTP output in the logs. Now, i set no password and it works!
Another thing to be implemented is this scenario:
- user-x has 2 tokens (totp and u2f)
- the 2fa should be used when ssh-ing to a machine.
- example: ssh use...@machine.domain.de
- the PAM plugin should be able to select what token is to be used after the 1st authentication. so the flow would be username+password -> select token to be used (since user has 2 tokens) -> authenticate using selected token -> session.
Is this possible with the PAM plugin??
Thanks so much in advance!
-Jojo
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/8b70b61d-6431-4435-9905-aae4c7b55b74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/8b70b61d-6431-4435-9905-aae4c7b55b74%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
cornelius.koelbel
Apr 7, 2017, 2:45:26 AM4/7/17
to Jochen Hein, iamo...@gmail.com, privacyidea
Hi Jochen,
Thanks for pointing this out.
Maybe Jojo can take a look if this can be integrated into the PI PAM module.
I do not like this a lot, since most of the U2F tokens are preseeded with a master key. This is why I personally do not like to use them.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: Jochen Hein <joc...@jochen.org>
Datum: 07.04.17 06:23 (GMT+01:00)
Cc: privacyidea <priva...@googlegroups.com>
Betreff: Re: [privacyidea] Re: pam Module fails to authenticate against server?
iamo...@gmail.com writes:
> It would be great if the PAM Plugin could also handle U2F token
> authentications.
> It would be great if the PAM Plugin could also handle U2F token
> authentications.
There is a (small) pam-u2f module from yubico:
https://github.com/Yubico/pam-u2f
Not integrated into privacyidea, but it might give a hint how that could
be implemented.
https://github.com/Yubico/pam-u2f
Not integrated into privacyidea, but it might give a hint how that could
be implemented.
> I suppose it would also
> really be beneficial if the privacyidea server itself has a 2FA mechanism
> for user authentication using the WebUI.
> really be beneficial if the privacyidea server itself has a 2FA mechanism
> for user authentication using the WebUI.
That's already possible with a webui policy: set login_mode to
'privacyIDEA'. I use that for my admin realm (but not with U2F tokens).
Jochen
--
This space is intentionally left blank.
'privacyIDEA'. I use that for my admin realm (but not with U2F tokens).
Jochen
--
This space is intentionally left blank.
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/83y3vcsv64.fsf%40jochen.org.
iamo...@gmail.com
Apr 7, 2017, 5:32:31 AM4/7/17
to privacyidea, iamo...@gmail.com
Hi Jochen,
unfortunately, the pam-u2f by yubico doesnt support remote ssh. It functions local only... It does have a patch which enables this feature but is not integrated in the newest release of openssh.
https://github.com/Yubico/pam-u2f/issues/12
https://github.com/Yubico/pam-u2f/issues/35
Ive already tried this and i think this would not be our solution unless openssh integrates U2F Authentication in the service.
Best regards,
Jojo
unfortunately, the pam-u2f by yubico doesnt support remote ssh. It functions local only... It does have a patch which enables this feature but is not integrated in the newest release of openssh.
https://github.com/Yubico/pam-u2f/issues/12
https://github.com/Yubico/pam-u2f/issues/35
Ive already tried this and i think this would not be our solution unless openssh integrates U2F Authentication in the service.
Best regards,
Jojo
iamo...@gmail.com
Apr 7, 2017, 6:01:16 AM4/7/17
to privacyidea
First of all, thanks and your Product has a lot of potential. With regards to the prompting.. Here what i mean is the the default prompt when you dont have the parameter "prompt=any_prompt_you_want" in the PAM module. The problem here is that it still prompts the default prompt (which is Your OTP: ) eventhough i only have a SMS Token.
On the Terminal:
ssh 2fa...@2fa-server.domain.de
Password:
Warning: Your password will expire in 176 days on Sun Oct 1 00:59:58 2017
Your OTP:
Enter the OTP from the SMS:
after I press the Return Key/ Enter without typing anything after the "Your OTP:", that is the time the "Enter the OTP from the SMS" is prompted. This part is a little
Here is my PAM config:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth requisite pam_python.so /lib/security/privacyidea_pam.py url=https://2fa-server.domain.de nosslverify debug
auth required pam_permit.so
tokens available and disabled- please see attached Photo
auth requisite pam_python.so /lib/security/privacyidea_pam.py url=https://2fa-server.domain.de nosslverify debug
auth required pam_permit.so
tokens available and disabled- please see attached Photo
If the user has several tokens, like HOTP or TOTP, the user simple **uses** one of his tokens, and privacyIDEA will realize, which one it was.
This is what I am talking about... If the user has many available tokens, the Module should be able to provide a handling option as to what token should be used. If for example, userx forgot his Handy but have 3 available Tokens. He can choose to use 1 of those and authenticate using the chosen token. This handling should be (in my opinion) provided upon the authentication request againt the PI server.
Best regards,
Jojo
cornelius.koelbel
Apr 7, 2017, 7:48:16 AM4/7/17
to privacyidea
Please try to understand the concept and workflow of challenge response tokens.
The great thing about privacyidea is that it is all open source and you can enhance it to your needs.
We are looking forward to your pull requests.
Kind regards
Cornelius
Cornelius Kölbel
+49 151 2960 1417
-------- Ursprüngliche Nachricht --------
Von: iamo...@gmail.com
Datum: 07.04.17 12:01 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com>
Betreff: Re: [privacyidea] Re: pam Module fails to authenticate against server?
--
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.
For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/
In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/
---
You received this message because you are subscribed to a topic in the Google Groups "privacyidea" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/c692ed8c-373a-4b46-b71f-6b56efa3cc76%40googlegroups.com.
Jochen Hein
Apr 7, 2017, 12:41:36 PM4/7/17
to iamo...@gmail.com, privacyidea
iamo...@gmail.com writes:
> to the prompting.. Here what i mean is the the default prompt when you dont
> have the parameter "prompt=any_prompt_you_want" in the PAM module. The
> problem here is that it still prompts the default prompt (which is Your
> OTP: ) eventhough i only have a SMS Token.
>
> On the Terminal:
> ssh 2fa...@2fa-server.domain.de
> Password:
Is this from pam_krb5?
> to the prompting.. Here what i mean is the the default prompt when you dont
> have the parameter "prompt=any_prompt_you_want" in the PAM module. The
> problem here is that it still prompts the default prompt (which is Your
> OTP: ) eventhough i only have a SMS Token.
>
> On the Terminal:
> ssh 2fa...@2fa-server.domain.de
> Password:
> Warning: Your password will expire in 176 days on Sun Oct 1 00:59:58 2017
> Your OTP:
user that has a token/radius authentication assigned on older systems.
My best guess is some confusion in the pam/sshd configuration. May be
you should only use privacyidea in your pam configuration?
SSH/PAM can be configured very flexible, but you need to think carefully
about the flow through the confiuration.
First, have a look at /etc/ssh/sshd_config and AuthenticationMethods
(see the manual for details). I have:
> Match Group otpusers
> AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam
There are two possible paths to authentication defined for OTP users:
1. Iff the user has a valid kerberos ticket, access is granted. No OTP,
no password.
2. Otherwise we need an ssh-key *and* refer to pam for authentication
(here: an OTP).
In my /etc/pam.d/ssh I have before @common-auth:
> auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers
> auth sufficient pam_yubico.so [...]
So OTP users must provide their OTP. You can/will use privacyidea's pam
module here, right?
I think you need to use pam/privacyidea instead of pam_krb5.
Jochen Hein
Apr 8, 2017, 1:19:00 AM4/8/17
to iamo...@gmail.com, privacyidea
iamo...@gmail.com writes:
> Here is my PAM config:
> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> try_first_pass
> auth [success=1 default=ignore] pam_sss.so use_first_pass
I'd also suggest dropping pam_krb5 and using the kerberos provider from
> Here is my PAM config:
> auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
> auth [success=2 default=ignore] pam_unix.so nullok_secure
> try_first_pass
> auth [success=1 default=ignore] pam_sss.so use_first_pass
sssd. Please see "man sssd-krb5" - you'll get offline authentication
when your auth server is not available.
iamo...@gmail.com
Apr 8, 2017, 11:04:56 AM4/8/17
to privacyidea, iamo...@gmail.com
Hi Jochen,
> to the prompting.. Here what i mean is the the default prompt when you dont
> have the parameter "prompt=any_prompt_you_want" in the PAM module. The
> problem here is that it still prompts the default prompt (which is Your
> OTP: ) eventhough i only have a SMS Token.
>
> On the Terminal:
> ssh 2fa...@2fa-server.domain.de
> Password:
Is this from pam_krb5?
> Warning: Your password will expire in 176 days on Sun Oct 1 00:59:58 2017
yes, up to this point but the "Your OTP:" does not belong to pam_krb5.so. The warning message can actually be turned off using the pam_sss.so Module with "pam_pwd_expiration_warning = N" in the sssd.conf file instead of pam_krb5.so.
> Your OTP:
This is a prompt I know from my FreeIPA installation for a kinit as a
user that has a token/radius authentication assigned on older systems.
My best guess is some confusion in the pam/sshd configuration. May be
you should only use privacyidea in your pam configuration?
SSH/PAM can be configured very flexible, but you need to think carefully
about the flow through the confiuration.
> Match Group
> AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam
yes I also have this on my sshd_config but im forcing all users except root to do keyboard-interactive:pam. This is to always let PAM handle the authentication against kerberos even if the user has a krb5 ticket. In this way, even if GSSAPIAuthentication is enabled, if the user is not root he will still have to follow the PAM stack in this order:
1- authenticate with kerberos
2- if successful, do second authentication against the privacyidea server
3- if successful, create session for user
in my sshd_conf:
Match User !root Address 192.168.x.x
AuthenticationMethods keyboard-interactive:pam
There are two possible paths to authentication defined for OTP users:
1. Iff the user has a valid kerberos ticket, access is granted. No OTP,
no password.
2. Otherwise we need an ssh-key *and* refer to pam for authentication
(here: an OTP).
In my /etc/pam.d/ssh I have before @common-auth:
> auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers
> auth sufficient pam_yubico.so [...]
So OTP users must provide their OTP. You can/will use privacyidea's pam
module here, right?
I think you need to use pam/privacyidea instead of pam_krb5.
Since i am using ldap as my userstore, i dont need to have an additional group for the OTP users. Instead, i just use the privacyidea WebUI to let users enroll/manage their token(s).
Ive been trying different configurations using the Event Handlers + Policy + pam_succeed_if to somehow provide and option for the ssh-user to chose which token to use if he has multiple tokens available just like a dropbox list of tokens to use if it were a webui-based login. Somewhat like what google does, but only in terminal? I'm not that well versed with python but ill try to look at the PI_pam.py and maybe come up with ideas.
Thanks for your help and ideas!
Sincerely,
Jojo
iamo...@gmail.com
Apr 8, 2017, 11:15:40 AM4/8/17
to privacyidea, iamo...@gmail.com
Oh! BTW, I your right its a little redundant. I actually have this since I was using a test machine with already configured krb5 through sssd and left it that way. I changed it to:
auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=ok default=1] pam_sss.so use_first_pass
auth [success=1 default=ignore] pam_python.so /lib/security/privacyida_pam.py url=https://2fa-server.domain.de nosslverify debug
auth required pam_deny.so
auth required pam_permit.so
first auth to handle local accounts, second to handle accounts in ldap/krb5 environment.
auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=ok default=1] pam_sss.so use_first_pass
auth [success=1 default=ignore] pam_python.so /lib/security/privacyida_pam.py url=https://2fa-server.domain.de nosslverify debug
auth required pam_deny.so
auth required pam_permit.so
first auth to handle local accounts, second to handle accounts in ldap/krb5 environment.
Reply all
Reply to author
Forward
0 new messages