problem in setting up opt in SSH login
101 views
Skip to first unread message
Harvey Chang
Jun 24, 2016, 2:44:17 AM6/24/16
to privacyidea
Dear all
I'm trying to set up privacyidea otp authentication in SSH login.
The problem is pam setting:
1. If I just paste below code in pam.d/sshd and mask include common-auth, it will not work.
#@include common-auth
auth sufficient pam_python.so /lib/security/privacyidea_pam.py url=https://172.16.8.75 prompt=privacyIDEA_Authentication
2. If I use below setting in common-auth, it works, but it will also check user password.
auth sufficient pam_python.so /lib/security/privacyidea_pam.py url=https://172.16.8.75 prompt=privacyIDEA_Authentication
auth sufficient pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
3. If I mask line two or exchange the order of line one and line two, it will not work.
------------------------ not work ---------------------------------
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_python.so /lib/security/privacyidea_pam.py url=https://172.16.8.75 prompt=privacyIDEA_Authentication
------------------------ not work ---------------------------------
auth [success=1 default=ignore] pam_python.so /lib/security/privacyidea_pam.py url=https://172.16.8.75 prompt=privacyIDEA_Authentication
auth sufficient pam_unix.so nullok_secure
------------------------ not work ---------------------------------
auth sufficient pam_python.so /lib/security/privacyidea_pam.py url=https://172.16.8.75 prompt=privacyIDEA_Authentication
#auth sufficient pam_unix.so nullok_secure
Does anybody can tell me what is the correct setting if I only want to use otp authentication. Not include password checking.
Harvey
Cornelius Kölbel
Jun 24, 2016, 6:23:18 AM6/24/16
to priva...@googlegroups.com
Hello Harvey,
usually I create a copy of common-auth
cp /etc/pam.d/common-auth /etc/pam.d/otp-auth
Then I replace the pam_unix line with the privacyIDEA line...
Check in the /var/log/secure log to tell us more then "it will not
work" ;-)
(Probably it is your SSL certificate and the missing hostname)
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/363273ac-c3ab-4696-ab1c-04b7562873f6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
usually I create a copy of common-auth
cp /etc/pam.d/common-auth /etc/pam.d/otp-auth
Then I replace the pam_unix line with the privacyIDEA line...
Check in the /var/log/secure log to tell us more then "it will not
work" ;-)
(Probably it is your SSL certificate and the missing hostname)
Kind regards
Cornelius
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/363273ac-c3ab-4696-ab1c-04b7562873f6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Harvey Chang
Jul 1, 2016, 3:31:55 AM7/1/16
to privacyidea
Hi Cornelius
Thanks for your reply. I found I have not succeeded till now. Below is the log.
Not really know what happen on it.
----------------------------------------------------------------------------------------------------------------------
Jul 1 15:24:22 raspberrypi sshd: Traceback (most recent call last):#012 File ""
/lib/security/privacyidea_pam.py", line 274, in pam_sm_authenticate#012 rval
= Auth.authenticate(pamh.authtok)#012 File "/lib/security/privacyidea_pam.py",
line 111, in authenticate#012 json_response = self.make_request(data)#012 Fii
le "/lib/security/privacyidea_pam.py", line 85, in make_request#012 verify=see
lf.sslverify)#012 File "/usr/lib/python2.7/dist-packages/requests/api.py", linee
94, in post#012 return request('post', url, data=data, json=json, **kwargs)##
012 File "/usr/lib/python2.7/dist-packages/requests/api.py", line 49, in requess
t#012 return session.request(method=method, url=url, **kwargs)#012 File "/uss
r/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request#012
resp = self.send(prep, **send_kwargs)#012 File "/usr/lib/python2.7/dist-packagg
es/requests/sessions.py", line 569, in send#012 r = adapter.send(request, **kk
wargs)#012 File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 44
20, in send#012 raise SSLError(e, request=request)#012SSLError: <unprintable
SSLError object>
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]: Traceback (mm
ost recent call last):
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]: File "/libb
/security/privacyidea_pam.py", line 288, in pam_sm_authenticate
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]: syslog.ss
yslog(syslog.LOG_ERR, "%s: %s" % (__name__, exx))
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]: TypeError: __
_str__ returned non-string (type Error)
Jul 1 15:24:29 raspberrypi sshd[2389]: Accepted keyboard-interactive/pam for pii
from 172.16.8.42 port 48571 ssh2
Jul 1 15:24:29 raspberrypi sshd[2389]: pam_unix(sshd:session): session opened ff
or user pi by (uid=0)
Jul 1 15:24:29 raspberrypi systemd-logind[548]: New session c5 of user pi.
Jul 1 15:24:32 raspberrypi sshd[2412]: Received disconnect from 172.16.8.42: 111
: disconnected by user
Jul 1 15:24:32 raspberrypi sshd[2389]: pam_unix(sshd:session): session closed ff
or user pi
Jul 1 15:24:32 raspberrypi systemd-logind[548]: Removed session c5.
----------------------------------------------------------------------------------------------------------
I already test privacyidea-authorizedkeys command is workable.
------------------------------------------------------------------
root@raspberrypi:/etc/pam.d# privacyidea-authorizedkeys pi
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html (This warning will only appear once by default.)
InsecureRequestWarning)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/lZw1Abgxz8/TF8StOLfl/5rXZuSYilOJ7YdrGZO225wmSsdH/vAk7QRblgEtT0AIOiBnRGeVko4YWvc2xjM1iOTHtU+qyJhz59fCQdYxLTVLUg9yKD7f/CPDDss/px8ek/vNjBPPSRNursB9p8PvRz5B/0+9X+JR40UM3ZfDlOXZp5WahjjC47ioa/p/wH8/mXNhWf8UW0t+s4nsUghJ9Tp8JchyKZu7jIAgD1Y/XOZYEzN9D1msbjTC9MPYzw6xpg0VOtI0CrMb0SG65Y1yDvGMu4Fa9YiAuAKPHe5y26M2OoqJILn1UV2uRS3CXO/VH1TfGbI8VmM5v+kAP24b9MxkCo2aBb8+y9SpcPa82SaXTXEQlYmbLQgEvpftd3GLC7ABuEYIAegSbQPvxa1loJe+QH3KlLXgAL3qvqghwbssCpIc6nckhDRK5rcApNxTTS+yiDEsO41J51Ihb30dyuaQ1TskTpbsqDe0PDhSpg/+IkySBqg8/UI2KpaqOQXZZkERHKYXr8gfl/byS2yZ5OC6iVD9i7LVmd6KcIs7fOiX5FYJoPlYneY0jgOoH2X/65C72mCvgtf5PNU56linmstD++1NA0vmiBVaxrNdB61bnLmWkxfgYRtB6/FdphsiPfWRE+mvgAxWnGrqnMVV+QSMaZa+6IJZ0VDf3/CjLw== harvey-chang@harveychang-VirtualBox
Cornelius Kölbel
Jul 1, 2016, 9:31:46 AM7/1/16
to priva...@googlegroups.com
Hi Harvey,
you have a problem with your SSL certificate.
The SSH server needs to trust the privacyIDEA's certificate.
You can see this in the log (SSLError) and the return of
privacyidea-authorizedkeys is not ok! It should only output the keys.
Not the error message.
As a temporary TESTING!!!! solution you can use nosslcheck=True.
Please read:
http://privacyidea.readthedocs.io/en/latest/machines/index.html?highlight=privacyidea-authorizedkeys#ssh
Kind regards
Cornelius
you have a problem with your SSL certificate.
The SSH server needs to trust the privacyIDEA's certificate.
You can see this in the log (SSLError) and the return of
privacyidea-authorizedkeys is not ok! It should only output the keys.
Not the error message.
As a temporary TESTING!!!! solution you can use nosslcheck=True.
Please read:
http://privacyidea.readthedocs.io/en/latest/machines/index.html?highlight=privacyidea-authorizedkeys#ssh
Kind regards
Cornelius
> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/0d5cb25c-53d6-4670-aa9f-3637667b34fe%40googlegroups.com.
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages