PAM unable to find the OTP user
Ankush Grover
I have setup OpenOTP server on Centos 5.x 32-bit with ldapotp mode. In
the test user login it is showing "Authentication Success" but ssh is
not working on a Centos 5.x 32-bit machine. Below are the logs i am
getting in /var/log/secure. This is happening with both ldapotp and
otp mode
Nov 24 15:20:17 localhost sshd[3089]: pam_openotp: Invalid PAM user
ankush
Nov 24 15:20:17 localhost sshd[3087]: error: PAM: Permission denied
for illegal user ankush from ubuntu-2.sy.com
Nov 24 15:20:17 localhost sshd[3087]: Failed keyboard-interactive/pam
for invalid user ankush from 172.31.2.91 port 36103 ssh2
Nov 24 15:20:17 localhost sshd[3088]: Postponed keyboard-interactive
for invalid user ankush from 172.31.2.91 port 36103 ssh2
Nov 24 15:20:23 localhost sshd[3090]: pam_openotp: Invalid PAM user
ankush
Nov 24 15:20:23 localhost sshd[3087]: error: PAM: Permission denied
for illegal user ankush from ubuntu-2.sy.com
Nov 24 15:20:23 localhost sshd[3087]: Failed keyboard-interactive/pam
for invalid user ankush from 172.31.2.91 port 36103 ssh2
Nov 24 15:20:23 localhost sshd[3088]: Postponed keyboard-interactive
for invalid user ankush from 172.31.2.91 port 36103 ssh2
Nov 24 15:20:35 localhost sshd[3091]: pam_openotp: Invalid PAM user
ankush
Nov 24 15:20:35 localhost sshd[3087]: error: PAM: Permission denied
for illegal user ankush from ubuntu-2.synapse.com
Nov 24 15:20:35 localhost sshd[3087]: Failed keyboard-interactive/pam
for invalid user ankush from 172.31.2.91 port 36103 ssh2
Nov 24 15:20:41 localhost sshd[3087]: pam_openotp: Invalid PAM user
ankush
Nov 24 15:20:41 localhost sshd[3087]: Failed password for invalid user
ankush from 172.31.2.91 port 36103 ssh2
/etc/pam.d/sshd file
auth sufficient pam_openotp.so server_url="http://
172.31.2.139:8080/openotp/" client_id="SSH" default_domain="ANKUSH"
password_mode=2
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
/etc/ssh/sshd_config has ChallengeResponseAuthentication yes,
PasswordAuthenticion yes and UsePAM yes
ls -l /usr/lib/libopenotp*
-rw-r--r-- 1 root root 146602 Nov 24 13:37 /usr/lib/libopenotp.a
lrwxrwxrwx 1 root root 19 Nov 24 13:38 /usr/lib/libopenotp.so ->
libopenotp.so.1.0.3
lrwxrwxrwx 1 root root 19 Nov 24 13:38 /usr/lib/libopenotp.so.1 ->
libopenotp.so.1.0.3
-rwxr-xr-x 1 root root 115633 Nov 24 13:37 /usr/lib/libopenotp.so.
1.0.3
ls -l /lib/security/pam_open*
-rwxr-xr-x 1 root root 3356831 Nov 24 15:06 /lib/security/
pam_openotp.so
Please update what wrong I am doing.
Regards
Ankush
Administrators
> Your PAM will use OpenOTP for the authentication and still needs to use either LDAP or /etc/passwd for the user store.
So 2 solutions for you:
1) You setup PAM-LDAP and configures the /etc/ldap.conf so that the
LDAP users are valid in your Linux system.
If you do that, you must a) configure PAM-LDAP and bind it to the
OpenOTP LDAP backend and b) add the posixAccount extension to the
WebADM users so that they are usable in Linux (with homedir,
loginshell, etc.. like in /etc/passwd).
2) You create local users in /etc/passwd with the same uid as the
webadm users.
So SSH and PAM will
- check the user in LDAP or /etc/passwd.
- authenticate the user via OpenOTP calls.
Ankush Grover
option and created 2 users in LDAP(through Webadm interface) with
uid,gid,home directory and shell . Also, created these users on the
test server with same uid and gid but still the authentication is not
happening. I have set only otp login mode for these users
for ex ankush,600,600,/home/ankush and /bin/bash and
ankush1,601,601,/home/ankush1 and /bin/bash
/var/log/secure logs
Nov 25 15:33:35 localhost sshd[12064]: error: Bind to port 22 on
0.0.0.0 failed: Address already in use.
Nov 25 15:36:02 localhost sshd[12069]: pam_openotp: Authentication
succeeded for user ankush
Nov 25 15:36:02 localhost sshd[12067]: error: PAM: Authentication
failure for ankush from ubuntu-2.sy.com
Nov 25 15:36:09 localhost sshd[12070]: pam_openotp: Authentication
failed for user ankush (Invalid username or password)
Nov 25 15:36:09 localhost sshd[12068]: Postponed keyboard-interactive
for ankush from 172.31.2.87 port 42402 ssh2
Nov 25 15:36:10 localhost sshd[12068]: Connection closed by
172.31.2.87
Nov 25 15:36:39 localhost sshd[12074]: pam_openotp: Authentication
succeeded for user ankush
Nov 25 15:36:39 localhost sshd[12072]: error: PAM: Authentication
failure for ankush from ubuntu-2.sy.com
Nov 25 15:36:46 localhost sshd[12075]: pam_openotp: Authentication
failed for user ankush (Invalid username or password)
Nov 25 15:36:46 localhost sshd[12073]: Postponed keyboard-interactive
for ankush from 172.31.2.87 port 42408 ssh2
Nov 25 15:38:34 localhost sshd[12076]: error: ssh_msg_send: write
Nov 25 15:50:35 localhost groupadd[12101]: new group: name=ankush1,
GID=601
Nov 25 15:50:45 localhost useradd[12106]: new user: name=ankush1,
UID=601, GID=601, home=/home/ankush1, shell=/bin/bash
Nov 25 15:54:07 localhost sshd[12124]: pam_openotp: Authentication
succeeded for user ankush1
Nov 25 15:54:07 localhost sshd[12122]: error: PAM: Authentication
failure for ankush1 from ubuntu-2.sy.com
Nov 25 15:54:12 localhost sshd[12125]: pam_openotp: Authentication
failed for user ankush1 (Invalid username or password)
Nov 25 15:54:12 localhost sshd[12123]: Postponed keyboard-interactive
for ankush1 from 172.31.2.87 port 42720 ssh2
Nov 25 15:56:03 localhost sshd[12126]: error: ssh_msg_send: write
This is what I am getting while doing ssh on the client :
ankush@ubuntu-2:~/Downloads$ ssh -l ankush1 172.31.2.97
OTP Password:
OTP Password:
Invalid username or password
OTP Password:
ank...@172.31.2.97's password:
Permission denied, please try again.
In the Websrv logs:
New openotpLogin request (Ankush\ankush1)
Authentication failed (wrong TOKEN password)
From the test login OTP is working fine for both the users but somehow
the ssh is not working
/etc/pam.d/sshd file
#%PAM-1.0
auth required pam_env.so
auth required pam_openotp.so server_url="https://
172.31.2.139:8443/openotp/" client_id="SSH" password_mode=2
default_domain="Ankush"
auth required pam_deny.so
account include system-auth
password include system-auth
session include system-auth
If I open the url https://172.31.2.139:8443/openotp", I get the below
message
XML Parsing Error: no element found
Location: https://172.31.2.139:8443/openotp/
Line Number 1, Column 1:
What could be the issue.
Administrators
instead of required:
auth sufficient pam_openotp.so server_url="https://
172.31.2.139:8443/openotp/" client_id="SSH" password_mode=2
default_domain="Ankush"
> anku...@172.31.2.97's password:
> Permission denied, please try again.
>
> In the Websrv logs:
>
> New openotpLogin request (Ankush\ankush1)
> Authentication failed (wrong TOKEN password)
>
> From the test login OTP is working fine for both the users but somehow
> the ssh is not working
>
> /etc/pam.d/sshd file
> #%PAM-1.0
> auth required pam_env.so
> auth required pam_openotp.so server_url="https://
> 172.31.2.139:8443/openotp/" client_id="SSH" password_mode=2
> default_domain="Ankush"
> auth required pam_deny.so
> account include system-auth
> password include system-auth
> session include system-auth
>
> If I open the urlhttps://172.31.2.139:8443/openotp", I get the below
Ankush Grover
--
You received this message because you are subscribed to the Google Groups "RCDevs Security Solutions - Technical" group.
To post to this group, send email to rcdevs-t...@googlegroups.com.
To unsubscribe from this group, send email to rcdevs-technic...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rcdevs-technical?hl=en.