First, you need to verify that your Kerberos libraries support OTP. I believe it requires
Kerberos 1.12 or later.
Second, you need to verify that your IPA supports kinit -n. Current versions do, but it’s
only been like the last year. It also requires your client system to be set up to use it.
I think ipa_install will do that, but otherwise you’ll have to set up an appropriate
certificate.
If you have a recent Kerberos library but your server doesn’t support kinit -n then you’ll
need to use a key table to generate the credentials used to armor the request.
My preference is to use sssd with pam_sssd. That will work for Centos 7, but not 6, and
for fairly recent versions of Ubuntu.
Otherwise, assuming the preconditions are true, then pam_krb5 should work. Depending upon
version, you need to turn on armor and either specific pkinit (if kinit -n works on your
system) or a key table, e.g. /etc/krb5.keytab. You might find Russ Albery’s version of
pam_krb5 useful here,
https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html. In
that version, it looks like anon_fast will work if “kinit -n” works, otherwise
fast_ccache=<ccache_name>. You can use k5start pointing to some key table to create
and maintain the cache.
On Jan 3, 2019, at 3:26 PM, Brian Topping via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Hi all, happy 2019!
Any thoughts on this? Docs would be welcome as well.
Thanks!! Brian
On Dec 30, 2018, at 8:17 AM, Brian Topping
<brian.topping@gmail.com<mailto:brian.topping@gmail.com>> wrote:
Hi all, I hope this is the best place to ask this, please let me know if not.
I am setting up a PAM client (libreswan, using the `pluto` service). When I log in with a
non-OTP account, everything works fine, but not with an OTP account. I have tested the OTP
account by logging into the node with SSH and the OTP user and it works fine, so I know
both that the token works and that the client configuration are both correct. I’ve tried a
few different PAM stacks to see if I could get around this, including the sshd stack to no
avail. In all cases, the FreeIPA server logs state `Additional pre-authentication
required` and then `Preauthentication failed`.
Preauthentication makes sense, I just don’t understand why sshd works fine with both
password factors concatenated in the first factor and libreswan (and xl2tpd when I was
testing it) both fail with preauth issues. What am I missing? Are there good docs on this
somewhere? [1] was the best I could come up with and it seems to be out-of-date (pam_sss
takes different parameters for some of the same functions in the final form).
Cheers! Brian
[1]
https://docs.pagure.org/SSSD.sssd/design_pages/pam_conversation_for_otp.html
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...