The purpose of suggesting pam_unix was to get a single prompt. I didn’t expect pam_unix to
actually authenticate your users.
I thought you had an issue with OTPs. In the newest RH/Centos, the normal pam file will
prompt separately for password and OTP token. THat’s fine its ssh, but many web apps don’t
have the ability to prompt separately, and thus will fail.
If you set up pam to use pam_unix all the time you’ll get a single prompt, which will
expect password and OTP key to be on the same line. That will work with web apps.
Obviously pam_unix won’t understand those password, but it will sad the password on the
stack, and pam_sss will use it.
On Mar 29, 2019, at 8:28 AM, Jelle de Jong via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hello everybody,
I tried the bellow configuration, but I can still only authorize with pass+otp.
I assume pam_unix.so only works for local users? I only have sssd freeipa users. Is there
a way to tell pam_sss.so to only use the password if --user-auth-type=otp is set?
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_succeed_if.so service in
mate-screensaver:lightdm:xrdp-sesman
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
Mar 29 13:19:01 workstation01 mate-screensaver-dialog:
pam_succeed_if(mate-screensaver:auth): requirement "service in
mate-screensaver:lightdm:xrdp-sesman" was met by user "jdejong"
Mar 29 13:19:49 workstation01 mate-screensaver-dialog: pam_unix(mate-screensaver:auth):
authentication failure; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost=
user=jdejong
Mar 29 13:19:50 workstation01 mate-screensaver-dialog: pam_sss(mate-screensaver:auth):
authentication success; logname= uid=350600026 euid=350600026 tty=:10.0 ruser= rhost=
user=jdejong
Kind regards,
Jelle de Jong
On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote:
> Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and things
like RDP will work with OTP.
> Here’s the default in password-auth and system-auth for Centos 7
> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000
quiet
> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> This causes local users and users with UID < 1000 to use Unix, otherwise go
directly to sss.
> You can add another line to test for specific services, and force pam_unix, i.e. a
single prompt, e.g.
> auth [success=2 default=ignore] pam_succeed_if.so service in
lightdm:xrdp-sesman.
> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000
quiet
> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> The one that gets messy is x2go, because it uses ssh, and can’t be detected by a
service test.
>> On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>>
>> Hello everybody,
>>
>> Thank you all for replying.
>>
>> On 18/03/2019 20:44, Jakub Hrozek wrote:
>>> On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
>>>> On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
>>>>> Hello everybody,
>>>>>
>>>>>
>>>>> I am looking for a way to have different authentication policy for
a
>>>>> freeia-client logout and screenlock on linux workstations.
>>>>>
>>>>> When a user logs in I want to use my password+otp (this is
working)!
>>>>>
>>>>> When a user locks it screen I want to be able unlock it with only
the
>>>>> password.
>>>>>
>>>>> When a user logs out and back in then it needs to use the
password+otp
>>>>> again.
>>>>>
>>>>> I am aware of the security implications for this.
>>>>>
>>>>> How can I configure this policy?
>>>> I don't think there is a way to deploy such policy through SSSD at
all.
>>>>
>>>> Jakub, do you have an idea how to make that possible?
>>> Currently I can't think of anything clean either. Is the lock screen and
the
>>> login manager the same PAM service? If they are different, maybe some
>>> hack like letting pam_unix to always read the password and then just
>>> pass it on to pam_sss would work..
>>> But I know Sumit is working on improving the 2FA prompting lately, so
>>> maybe this will be improved in the upcoming release.
>>
>> I seem to have mate-screensaver, lightdm and xrdp-sesman.
>>
>> Will that be enough to hook a custom pam rule together for mate-screensaver?
>>
>> If not is it possible to disable OTP for all the destkop systems in sssd.conf?
and have it still working for all other systems with --user-auth-type=otp as only enabled
option in freeipa?
>>
>> Also for laptop systems in offline
>>
>> disable_preauth
>> forward_pass
>>
>> Mar 19 18:54:50 workstation01 mate-screensaver-dialog:
pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021
euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
>>
>> Mar 19 18:54:51 workstation01 mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021
euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
>>
>> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth):
authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost=
user=jdejong
>>
>> Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth):
authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=jdejong
>>
>> Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
>>
>> Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
>>
>> cat /etc/pam.d/mate-screensaver
>> @include common-auth
>> auth optional pam_gnome_keyring.so
>>
>> cat /etc/pam.d/common-auth
>> #
>> # /etc/pam.d/common-auth - authentication settings common to all services
>> #
>> # This file is included from other service-specific PAM config files,
>> # and should contain a list of the authentication modules that define
>> # the central authentication scheme for use on the system
>> # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
>> # traditional Unix authentication mechanisms.
>> #
>> # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
>> # To take advantage of this, it is recommended that you configure any
>> # local modules either before or after the default block, and use
>> # pam-auth-update to manage selection of other modules. See
>> # pam-auth-update(8) for details.
>>
>> # here are the per-package modules (the "Primary" block)
>> auth [success=2 default=ignore] pam_unix.so nullok_secure
>> auth [success=1 default=ignore] pam_sss.so use_first_pass
>> # here's the fallback if no module succeeds
>> auth requisite pam_deny.so
>> # prime the stack with a positive return value if there isn't one already;
>> # this avoids us returning an error just because nothing sets a success code
>> # since the modules above will each just jump around
>> auth required pam_permit.so
>> # and here are more per-package modules (the "Additional" block)
>> auth optional pam_ecryptfs.so unwrap
>> auth optional pam_cap.so
>> # end of pam-auth-update config
>>
>> sssd 1.16.1-1ubuntu1.1
>>
>> root@workstation01:~# ls -hal /etc/pam.d/
>> total 136K
>> drwxr-xr-x 2 root root 4,0K Mar 15 11:35 .
>> drwxr-xr-x 161 root root 12K Mar 19 18:22 ..
>> -rw-r--r-- 1 root root 384 Jan 25 2018 chfn
>> -rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd
>> -rw-r--r-- 1 root root 581 Jan 25 2018 chsh
>> -rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account
>> -rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth
>> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password
>> -rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session
>> -rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive
>> -rw-r--r-- 1 root root 606 Nov 16 2017 cron
>> -rw-r--r-- 1 root root 69 Mar 27 2018 cups
>> -rw-r--r-- 1 root root 884 Mar 22 2018 lightdm
>> -rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin
>> -rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter
>> -rw-r--r-- 1 root root 4,9K Jan 25 2018 login
>> -rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver
>> -rw-r--r-- 1 root root 92 Jan 25 2018 newusers
>> -rw-r--r-- 1 root root 520 Apr 4 2018 other
>> -rw-r--r-- 1 root root 92 Jan 25 2018 passwd
>> -rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1
>> -rw-r--r-- 1 root root 168 Feb 26 2018 ppp
>> -rw-r--r-- 1 root root 143 Feb 14 2018 runuser
>> -rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l
>> -rw-r--r-- 1 root root 84 Nov 8 19:09 samba
>> -rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd
>> -rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils
>> -rw-r--r-- 1 root root 2,3K Jan 25 2018 su
>> -rw-r--r-- 1 root root 239 Jan 18 2018 sudo
>> -rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user
>> -rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman
>>
>> Thank you in advance!
>>
>> Kind regards,
>>
>> Jelle de Jong
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...