Unable to do MFA for user on linux server

[Amit Dongaonkar]

Hello group,

I have just started exploring the use of LinOTP for MFA in our company.

To do a test setup I installed LinOTP 2.11 on a RHEL server and set up another ubuntu server along with the configuration mentioned at https://linotp.org/howtos/howto-ssh.html for testing MFA for user login using LinOTP with our LDAP.

Some observations as follows:

1. Without the use of the 'hide_otp_input' the pam module would not send the parameters(user, pass) to the simplecheck service.

2. After adding the 'hide_otp_input' parameter in the common-linotp I see the parameters(user,pass) being passed to the simplecheck service, however, I think the pass parameter value seems to be encoded. This is what I see in the log  pass=%08%0A%0D%7FIN.

With the call to the simplecheck service from pam with the parameters(user,pass) I see the linotp.log file showing the following message

 WARNI [linotp.lib.auth.finishtokens][finish_checked_tokens #114] user u'test'@u'awsad' failed to auth.

The user test is present in the realm and has a valid token assigned. This user is also present in the LDAP with an active status. LinOTP is successfully able to communicate with the LDAP(MS AD ) using port 389 (without STARTTLS).  

Also if I put the following url in the browser I get a success ( :-) ) message.

https://ip-address/validate/simplecheck?user=test&pass=094415 (code from the authenticator) 

With the above background I am looking for some guidance/help in resolving the issue I am facing with authenticating a user on the test linux box using MFA.

Thank you in advance.

Thanks and Regards,

Amit Dongaonkar