libpam_linotp without local user

[andreas....@corporatequality.de]

Hi all,

i've successfully installed LinOTP 2.7 attached to my AD via LDAPS, using TOTP and mOTP token.

I'm trying to authenticate OpenVPN via PAM, but it's only working if the user has a local account on the OpenVPN Server. These are the only log entries on the OpenVPN Server in /var/log/auth.log:

User without account:

pam_linotp[5698]: start pam_linotp.py authentication: 0, ['/lib/security/pam_linotp.py', 'debug', 'url=https://otp.server.local/validate/simplecheck', 'nosslhostnameverify', 'realm=', 'logpassword=no']

Nothing more happens. Nothing on the LinOTP Server:

Same user now with local account:

pam_linotp[5698]: start pam_linotp.py authentication: 0, ['/lib/security/pam_linotp.py', 'debug', 'url=https://otp.server.local/validate/simplecheck', 'nosslhostnameverify', 'realm=', 'logpassword=no']

 pam_linotp[5698]: got no password in authtok - trying through conversation
pam_linotp[5698]: got password: 123456
pam_linotp[5698]: calling url https://otp.server.local/validate/simplecheck' {'realm': 'corporatequality.de', 'user': 'username', 'pass': '123456'}
pam_linotp[5698]: :-(
pam_linotp[5698]: user rejected

I followed this howto: http://www.howtoforge.com/how-to-set-up-openvpn-to-authenticate-with-linotp

I only changed validate/check in validate/simplecheck

These are my pam files on the OpenVPN Server:

common-linotp:

auth [success=1 default=ignore] pam_python.so /lib/security/pam_linotp.py debug url=https://otp.server.local/validate/simplecheck nosslhostnameverify realm= logpassword=no
auth    requisite           pam_deny.so
auth    required            pam_permit.so

openvpn:

@include common-linotp
session    sufficient pam_permit.so
account    sufficient  pam_permit.so

From my understanding no local accounts should be needed, when using "pam_permit.so"

I can't find anything wrong.

Thanks and kind regards,

Andreas

[andreas....@corporatequality.de]

Hi,

did anybody got this working?

Or is there another aproach, to authenticate Users with OTP, without having local UNIX accounts?

Thanks and kind regards,

Andreas

[alext...@gmail.com]

Hi,
your configuration (pam provided here) seems fine (though I used the c implementation of pam_linotp, but this should have the same results)

I also use /validate/simplecheck

In my setting (as long as I test linotp) though attached to ldap, everything worked fine at this step.

Since you use ldaps, check the pam's "nosslhostnameverify" flag (I am using just ldap so I use both "nosslhostnameverify" and "nosslhostnameverify" flags).

Maybe you have not the proper settings in useridresolver ?

The log you provided seems not to be the LinOTP server's log... I think this should be more helpfull (eg if there are no records maybe there is no connectivity between pam and linotp...). You can find it in /var/log/linotp/linotp.log (at least in my configuration...)

regards

[andreas....@corporatequality.de]

Hi,

thanks for you answer. I tried both. The python module and the C module. This the output from auth.log, using the C module:

Local user exists:

pam_linotp[24719]: DEBUG: "realm: xyz.de"
pam_linotp[24719]: DEBUG: "resConf: (null)"
pam_linotp[24719]: DEBUG: "validate url: https://otpserver/validate/simplecheck"
pam_linotp[24719]: DEBUG: "prompt: Your OTP:"
pam_linotp[24719]: DEBUG: "'use_first_pass' 0 ,"
pam_linotp[24719]: DEBUG: "nosslhostnameverify 1"
pam_linotp[24719]: DEBUG: "we will not verify the hostname."
pam_linotp[24719]: DEBUG: "nosslcertverify 1"
pam_linotp[24719]: DEBUG: "found 'nosslcertverify', we will not verify the certificate."
pam_linotp[24719]: DEBUG: "got user LOCALUSER"
pam_linotp[24719]: DEBUG: "Getting password"
pam_linotp[24719]: DEBUG: "Not using OPENPAM."
pam_linotp[24719]: DEBUG: "pam_local_get_authtok"
pam_linotp[24719]: DEBUG: "pam_local_get_authtok"
pam_linotp[24719]: DEBUG: "Getting password from PAM conversation. result: 0"
pam_linotp[24719]: DEBUG: "response code: (null) "
pam_linotp[24719]: DEBUG: "End of password fetching."
pam_linotp[24719]: DEBUG: "Ok, you are debugging - here your pass: 3894398"
pam_linotp[24719]: DEBUG: "pam_linotp_validate_password"
pam_linotp[24719]: DEBUG: "user: LOCALUSER"
pam_linotp[24719]: DEBUG: "url : https://otpserver/validate/simplecheck"
pam_linotp[24719]: DEBUG: "entering linotp_create_url_params."
pam_linotp[24719]: DEBUG: "allocating 49 chars"
pam_linotp[24719]: DEBUG: "freeing escaped value for realm"
pam_linotp[24719]: DEBUG: "freeing escaped value for user"
pam_linotp[24719]: DEBUG: "freeing escaped value for pass"
pam_linotp[24719]: DEBUG: "connecting to url:https://otpserver/validate/simplecheck with parameters realm=xyz.de&user=LOCALUSER&pass=3894398"
pam_linotp[24719]: DEBUG: "result :-("
pam_linotp[24719]: INFO: "user 'LOCALUSER' rejected"
pam_linotp[24719]: DEBUG: "freeing password"
pam_linotp[24719]: INFO: "pam_linotp callback done. [Authentication failure]"

Local User does not exist:

pam_linotp[24719]: DEBUG: "realm: xyz.de"
pam_linotp[24719]: DEBUG: "resConf: (null)"
pam_linotp[24719]: DEBUG: "validate url: https://otpserver/validate/simplecheck"
pam_linotp[24719]: DEBUG: "prompt: Your OTP:"
pam_linotp[24719]: DEBUG: "'use_first_pass' 0 ,"
pam_linotp[24719]: DEBUG: "nosslhostnameverify 1"
pam_linotp[24719]: DEBUG: "we will not verify the hostname."
pam_linotp[24719]: DEBUG: "nosslcertverify 1"
pam_linotp[24719]: DEBUG: "found 'nosslcertverify', we will not verify the certificate."
pam_linotp[24719]: DEBUG: "got user NOLOCALUSER"

PAM stops with got user... and does not contact the OTP Server. That's why there is no output in the linotp.log.

I don't think that there is something wrong with the useridresolver or the LDAP connection. Every user that has a local account on the VPN Server can be authenticated.

I guess the error has to be found on the VPN Server where PAM is executed.

Could you please share your PAM configuration?

Did you change anything in your nsswitch.conf? Mine is the stock version from Debian 7.

# /etc/nsswitch.conf

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Kind regards,

Andreas

[alext...@gmail.com]

I changed nothing in nsswitch.conf

my pam configuration is exactly as yours, but using both nosslhostnameverify and nosslhostnameverify params

I think you only watch pam log or smthg... not linotp's log file
you should check this also...

[Kay Winkler]

Hi,

just looked at the source code -
and it seems that your request is send to the
LinOTP server -

could you please try to run a

wget
"https://otpserver/validate/simplecheck?realm=xyz.de&user=LOCALUSER&pass=3894398"

and look:
- if the otpserver could be resolved - if not use the ip
- the user exists in the realm on your otpserver
- if there is an additional pin required
- if any problem with this please provide some linOTP log from
/var/log/linotp. . .


Tahnks and best regards,

Kay

> --
> You received this message because you are subscribed to the Google
> Groups "LinOTP" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to linotp+un...@googlegroups.com
> <mailto:linotp+un...@googlegroups.com>.
> Visit this group at http://groups.google.com/group/linotp.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/linotp/0ed401b8-f9a5-48da-a313-8202ccc6dafa%40googlegroups.com
> <https://groups.google.com/d/msgid/linotp/0ed401b8-f9a5-48da-a313-8202ccc6dafa%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.

[andreas....@corporatequality.de]

Hi,

no, I am watching the linotp log. But if I try to authenticate a user without a local account. There is nothing in the logs.

You wrote: nosslhostnameverify  and nosslhostnameverify. Maybe a typo? Which second parameter do you mean?

Kind regards,

Andreas

[alext...@gmail.com]

>
> You wrote: nosslhostnameverify  and nosslhostnameverify. Maybe a typo? Which second parameter do you mean?
>

as far as I understand, to avoid problems with certificates you provide nosslhostnameverify and nosslcertverify params in pam (that's what the docs say and I did)

anyway I thing Kay above, provided detailed steps to find the problem...

regards

[andreas....@corporatequality.de]

Hi Kay,

Am Donnerstag, 10. Juli 2014 11:36:15 UTC+2 schrieb Kay Winkler:

Hi,

just looked at the source code -
and it seems that your request is send to the
LinOTP server -

could you please try to run a

wget
"https://otpserver/validate/simplecheck?realm=xyz.de&user=LOCALUSER&pass=3894398"

and look:
- if the otpserver could be resolved - if not use the ip

Yes, the FQDN can be resolved.

- the user exists in the realm on your otpserver

Yes, the user exists in the realm.

- if there is an additional pin required

There is nothing wrong with the token. I can test it via simplecheck or check. The token and the user is ok.

- if any problem with this please provide some linOTP log from
  /var/log/linotp. . .

There is nothing in the logs. PAM on the OpenVPN Server does not seem to query the LinOTP Server, if the user does not have a local UNIX account on the OpenVPN Server.

If  the user has a local UNIX account on the OpenVPN Server, everything is fine and PAM queries the LinOTP Server.

Int his howto: http://www.howtoforge.com/how-to-set-up-openvpn-to-authenticate-with-linotp you can find the following passage:

<<<<<

Finally we need to edit /etc/pam.d/openvpn which should contain the following lines:

@include common-linotp 
session    sufficient pam_permit.so
account    sufficient  pam_permit.so

The session and the account use pam_permit.so, so that we do not need to create local user accounts for the VPN users on the OpenVPN Server.

>>>>>>

And this is not working for me.

Tahnks and best regards,

        Kay

Thanks and kind regards,

Andreas