With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well.
I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid
And in pam.d/securid file auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
Now back to your question, I believe you need to define a new system-auth file to be used, in my case system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before.
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so
$ cat /etc/pam.d/system-auth-ac_new #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well.
I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid
And in pam.d/securid file auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu http://pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
This setup also failed miserably where pam.d/sshd first two lines like below
auth required pam_securid.so auth include system-auth-ac_new
And using your pam.d/system-auth-ac_new
So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either.
Any other suggestion? Does anyone work with SSS and OTP at all?
Seems like I should just not use sss since OTP is a *must* requirement.
On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi mrossi@hostopia.com wrote:
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
Now back to your question, I believe you need to define a new system-auth file to be used, in my case system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before.
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so
$ cat /etc/pam.d/system-auth-ac_new #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well.
I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid
And in pam.d/securid file auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
What OS are you using ? I am using Centos 6 with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for RSA and one for LDAP. If you need to ONLY use RSA w account lookup from sssd/ldap, then you have to comment out the auth line related to system-auth-ac in /etc/pam.d/sshd. You also have to be careful what umask are you using, make sure file perms is set to 0644 . Also if you run authconfig to manage /etc/pam.d, your files may be overwritten, so you may need to import custom setting into your deployment system i.e. puppet/ansible.
Have you set *ChallengeResponseAuthentication* to yes in /etc/ssh/sshd_config ?
Example of a system that uses RSA for sshd , so you get *only one* password prompt:
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve *#auth include system-auth-ac* account required pam_nologin.so account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so force revoke session include system-auth-ac session required pam_loginuid.so
$ cat */etc/pam.d/system-auth-ac * #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like below
auth required pam_securid.so auth include system-auth-ac_new
And using your pam.d/system-auth-ac_new
So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either.
Any other suggestion? Does anyone work with SSS and OTP at all?
Seems like I should just not use sss since OTP is a *must* requirement.
On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <mrossi@hostopia.com mailto:mrossi@hostopia.com> wrote:
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA. $ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey : Now back to your question, I believe you need to define a new system-auth file to be used, in my case system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before. $ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so $ cat /etc/pam.d/system-auth-ac_new #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so I can on /etc/pam.d/sshd auth sufficient pam_securid.so and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine. If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually. I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation? Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step? Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well. I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid And in pam.d/securid file auth sufficient pam_securid.so Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login I tried with SElinux off and on and same result If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here. Any suggestion how to fix pam_sss for OTP? Thanks! -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu> A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? _______________________________________________ sssd-users mailing list --sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org <mailto:sssd-users-leave@lists.fedorahosted.org>
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu http://pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
I am using centos 7.
What are you using your auth_provider ?
Here is my config today. Once it is working I will make sure puppet keeps it in line and if gets overwritten by authconfig. But I need to first make sure if is working, which is not the case today.
$ cat /etc/sssd/sssd.conf ...
*auth_provider = proxy * *proxy_pam_target = securid* ...
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so *auth substack password-auth* auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session optional pam_exec.so /usr/local/bin/apply-quota.sh #session optional pam_exec.so log=/tmp/pam_exec.log /usr/local/bin/ipsystems.sh session optional pam_exec.so /usr/local/bin/ipsystems.sh session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare
$ cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 999 quiet_success *auth sufficient pam_sss.so forward_pass* auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
$ cat /etc/pam.d/securid *auth sufficient pam_radius_auth.so*
There is no reserve option for pam_radius_auth. I am using pam_radius_auth to connect to my RSA securid server and it has been working on all my solaris, ubuntu, centos for last 15+ yrs.
These are the only options available https://github.com/FreeRADIUS/pam_radius/blob/master/USAGE
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi mrossi@hostopia.com wrote:
What OS are you using ? I am using Centos 6 with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for RSA and one for LDAP. If you need to ONLY use RSA w account lookup from sssd/ldap, then you have to comment out the auth line related to system-auth-ac in /etc/pam.d/sshd. You also have to be careful what umask are you using, make sure file perms is set to 0644 . Also if you run authconfig to manage /etc/pam.d, your files may be overwritten, so you may need to import custom setting into your deployment system i.e. puppet/ansible.
Have you set *ChallengeResponseAuthentication* to yes in /etc/ssh/sshd_config ?
Example of a system that uses RSA for sshd , so you get *only one* password prompt:
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve *#auth include system-auth-ac* account required pam_nologin.so account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so force revoke session include system-auth-ac session required pam_loginuid.so
$ cat */etc/pam.d/system-auth-ac * #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like below
auth required pam_securid.so auth include system-auth-ac_new
And using your pam.d/system-auth-ac_new
So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either.
Any other suggestion? Does anyone work with SSS and OTP at all?
Seems like I should just not use sss since OTP is a *must* requirement.
On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi mrossi@hostopia.com wrote:
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
Now back to your question, I believe you need to define a new system-auth file to be used, in my case system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before.
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so
$ cat /etc/pam.d/system-auth-ac_new #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well.
I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid
And in pam.d/securid file auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi mrossi@hostopia.com wrote:
What OS are you using ? I am using Centos 6 with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for RSA and one for LDAP. If you need to ONLY use RSA w account lookup from sssd/ldap, then you have to comment out the auth line related to system-auth-ac in /etc/pam.d/sshd. You also have to be careful what umask are you using, make sure file perms is set to 0644 . Also if you run authconfig to manage /etc/pam.d, your files may be overwritten, so you may need to import custom setting into your deployment system i.e. puppet/ansible.
Have you set *ChallengeResponseAuthentication* to yes in /etc/ssh/sshd_config ?
Example of a system that uses RSA for sshd , so you get *only one* password prompt:
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve *#auth include system-auth-ac* account required pam_nologin.so account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so force revoke session include system-auth-ac session required pam_loginuid.so
$ cat */etc/pam.d/system-auth-ac * #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
I got it working with your config.
I can ssh with OTP and it does check my LDAP attributes as well.
I have auth_provider = ldap now as well so I can sudo auth based on LDAP.
Howerver sudo is failing and here is my pam.d/sudo looks like
[root@localhost vagrant]# cat /etc/pam.d/sudo #%PAM-1.0 auth include system-auth-ac account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so revoke session required pam_limits.so
$ sudo -s [sudo] password for iqbala: sudo: account validation failure, is your account locked?
It is not locked in LDAP and I checked.
Any suggestion what is going wrong there? I am using your system-auth-ac
On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like below
auth required pam_securid.so auth include system-auth-ac_new
And using your pam.d/system-auth-ac_new
So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either.
Any other suggestion? Does anyone work with SSS and OTP at all?
Seems like I should just not use sss since OTP is a *must* requirement.
On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi mrossi@hostopia.com wrote:
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
Now back to your question, I believe you need to define a new system-auth file to be used, in my case system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before.
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so
$ cat /etc/pam.d/system-auth-ac_new #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well.
I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid
And in pam.d/securid file auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
There are a couple of things to check, older versions of sssd package sudo in a separate rpm and not all versions of sudo integrate with sssd, upgrade to the latest sudo package that your distro supports, just in case.
If sssd.conf has the proper refereces to sudo e.g.
services = nss, pam, sudo, ssh ..... [sudo] # debug_level=9 .... [domain/XYZ]
sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=example,dc=net ldap_sudo_full_refresh_interval = 86400 ldap_sudo_smart_refresh_interval = 3600
Additional troubleshooting steps: Flush sssd cache just in case with sss_cache -E , as root on the server, su to the user, do id -G myuser, id myuser, after which try logging in with ssh as the user and use sudo. List all sudo rules, as root, with: sudo -U myuser -l
I almost forgot, /etc/nsswitch.conf must have a sudoers line to point to sssd: $ egrep sudo /etc/nsswitch.conf sudoers: files sss
If you still see issues , I would recommend turning debugging on for sssd, sudo, looking through openldap logs for queries done by sssd. In addition, the next link might also help.
https://jhrozek.livejournal.com/2065.html
Let us know how it goes. I assumed your openldap is loading the sudo schema and you have configured at least one rule in openldap for sudo. In my environment I modified the sudo password prompt ( see option passprompt) , that way I can distinguish between a non-ldap sudo and sssd-enabled sudo :)
Let us know how it goes ...
On 11/02/2017 03:13 PM, Asif Iqbal wrote:
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi <mrossi@hostopia.com mailto:mrossi@hostopia.com> wrote:
What OS are you using ? I am using Centos 6 with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for RSA and one for LDAP. If you need to ONLY use RSA w account lookup from sssd/ldap, then you have to comment out the auth line related to system-auth-ac in /etc/pam.d/sshd. You also have to be careful what umask are you using, make sure file perms is set to 0644 . Also if you run authconfig to manage /etc/pam.d, your files may be overwritten, so you may need to import custom setting into your deployment system i.e. puppet/ansible. Have you set *ChallengeResponseAuthentication* to yes in /etc/ssh/sshd_config ? Example of a system that uses RSA for sshd , so you get *only one* password prompt: $ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve *#auth include system-auth-ac* account required pam_nologin.so account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so force revoke session include system-auth-ac session required pam_loginuid.so $ cat */etc/pam.d/system-auth-ac * #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
I got it working with your config.
I can ssh with OTP and it does check my LDAP attributes as well.
I have auth_provider = ldap now as well so I can sudo auth based on LDAP.
Howerver sudo is failing and here is my pam.d/sudo looks like
[root@localhost vagrant]# cat /etc/pam.d/sudo #%PAM-1.0 auth include system-auth-ac account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so revoke session required pam_limits.so
$ sudo -s [sudo] password for iqbala: sudo: account validation failure, is your account locked?
It is not locked in LDAP and I checked.
Any suggestion what is going wrong there? I am using your system-auth-ac
On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like below auth required pam_securid.so auth include system-auth-ac_new And using your pam.d/system-auth-ac_new So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either. Any other suggestion? Does anyone work with SSS and OTP at all? Seems like I should just not use sss since OTP is a *must* requirement. On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <mrossi@hostopia.com <mailto:mrossi@hostopia.com>> wrote: My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA. $ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey : Now back to your question, I believe you need to define a new system-auth file to be used, in my case system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before. $ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so $ cat /etc/pam.d/system-auth-ac_new #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so I can on /etc/pam.d/sshd auth sufficient pam_securid.so and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine. If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually. I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation? Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step? Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well. I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid And in pam.d/securid file auth sufficient pam_securid.so Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login I tried with SElinux off and on and same result If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here. Any suggestion how to fix pam_sss for OTP? Thanks! -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu> A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? _______________________________________________ sssd-users mailing list --sssd-users@lists.fedorahosted.org <mailto:sssd-users@lists.fedorahosted.org> To unsubscribe send an email tosssd-users-leave@lists.fedorahosted.org <mailto:sssd-users-leave@lists.fedorahosted.org>
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu> A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu http://pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
On Thu, Nov 2, 2017 at 9:14 PM, Mario Rossi mrossi@hostopia.com wrote:
There are a couple of things to check, older versions of sssd package sudo in a separate rpm and not all versions of sudo integrate with sssd, upgrade to the latest sudo package that your distro supports, just in case.
If sssd.conf has the proper refereces to sudo e.g.
services = nss, pam, sudo, ssh ..... [sudo] # debug_level=9 .... [domain/XYZ]
sudo_provider = ldap ldap_sudo_search_base = ou=sudoers,dc=example,dc=net ldap_sudo_full_refresh_interval = 86400 ldap_sudo_smart_refresh_interval = 3600
Additional troubleshooting steps: Flush sssd cache just in case with sss_cache -E , as root on the server, su to the user, do id -G myuser, id myuser, after which try logging in with ssh as the user and use sudo. List all sudo rules, as root, with: sudo -U myuser -l
I almost forgot, /etc/nsswitch.conf must have a sudoers line to point to sssd: $ egrep sudo /etc/nsswitch.conf sudoers: files sss
Thanks for your reply.
sudo is now working as well, with this config
$ cat /etc/pam.d/sudo #%PAM-1.0 *auth sufficient pam_sss.so* account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so
If you still see issues , I would recommend turning debugging on for sssd,
sudo, looking through openldap logs for queries done by sssd. In addition, the next link might also help.
I will bookmark this link.
Let us know how it goes. I assumed your openldap is loading the sudo schema and you have configured at least one rule in openldap for sudo. In my environment I modified the sudo password prompt ( see option passprompt) , that way I can distinguish between a non-ldap sudo and sssd-enabled sudo :)
Yes I modified the passprompt too :-)
Let us know how it goes ...
Appreciate your help!
On 11/02/2017 03:13 PM, Asif Iqbal wrote:
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi mrossi@hostopia.com wrote:
What OS are you using ? I am using Centos 6 with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for RSA and one for LDAP. If you need to ONLY use RSA w account lookup from sssd/ldap, then you have to comment out the auth line related to system-auth-ac in /etc/pam.d/sshd. You also have to be careful what umask are you using, make sure file perms is set to 0644 . Also if you run authconfig to manage /etc/pam.d, your files may be overwritten, so you may need to import custom setting into your deployment system i.e. puppet/ansible.
Have you set *ChallengeResponseAuthentication* to yes in /etc/ssh/sshd_config ?
Example of a system that uses RSA for sshd , so you get *only one* password prompt:
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve *#auth include system-auth-ac* account required pam_nologin.so account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so force revoke session include system-auth-ac session required pam_loginuid.so
$ cat */etc/pam.d/system-auth-ac * #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
I got it working with your config.
I can ssh with OTP and it does check my LDAP attributes as well.
I have auth_provider = ldap now as well so I can sudo auth based on LDAP.
Howerver sudo is failing and here is my pam.d/sudo looks like
[root@localhost vagrant]# cat /etc/pam.d/sudo #%PAM-1.0 auth include system-auth-ac account include system-auth-ac password include system-auth-ac session optional pam_keyinit.so revoke session required pam_limits.so
$ sudo -s [sudo] password for iqbala: sudo: account validation failure, is your account locked?
It is not locked in LDAP and I checked.
Any suggestion what is going wrong there? I am using your system-auth-ac
On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like below
auth required pam_securid.so auth include system-auth-ac_new
And using your pam.d/system-auth-ac_new
So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either.
Any other suggestion? Does anyone work with SSS and OTP at all?
Seems like I should just not use sss since OTP is a *must* requirement.
On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi mrossi@hostopia.com wrote:
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root : AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
Now back to your question, I believe you need to define a new system-auth file to be used, in my case system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before.
$ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so
$ cat /etc/pam.d/system-auth-ac_new #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly. At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?
Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so that works very well as well.
I have sssd.conf setup like this auth_server = proxy proxy_target_pam = securid
And in pam.d/securid file auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login And I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users@lists.fedorahosted.org