subject:"\\\\\\\[SSSD\\\\\\\-users\\\\\\\] Re\\\\\\\: sssd with OTP does not work in all cases."

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-11-02 Thread Asif Iqbal

On Thu, Nov 2, 2017 at 9:14 PM, Mario Rossi  wrote:

> There are a couple of things to check, older versions of sssd package sudo
> in a separate rpm and not all versions of sudo integrate with sssd, upgrade
> to the latest sudo package that your distro supports, just in case.
>
> If sssd.conf has the proper refereces to sudo e.g.
>
> services = nss, pam, sudo, ssh
> .
> [sudo]
> # debug_level=9
> 
> [domain/XYZ]
>
> sudo_provider = ldap
> ldap_sudo_search_base = ou=sudoers,dc=example,dc=net
> ldap_sudo_full_refresh_interval = 86400
> ldap_sudo_smart_refresh_interval = 3600
>
> Additional troubleshooting steps:
> Flush sssd cache just in case with  sss_cache -E , as root on the server,
> su to the user, do id -G myuser, id myuser, after which try logging in with
> ssh as the user and use sudo. List all sudo rules, as root, with: sudo -U
> myuser -l
>
> I almost forgot, /etc/nsswitch.conf must have a sudoers line to point to
> sssd:
> $ egrep sudo /etc/nsswitch.conf
> sudoers:files sss
>
>
>
Thanks for your reply.

sudo is now working as well, with this config

$ cat /etc/pam.d/sudo
#%PAM-1.0
*auth   sufficient   pam_sss.so*
accountinclude  system-auth
password   include  system-auth
sessionoptional pam_keyinit.so revoke
sessionrequired pam_limits.so


If you still see issues , I would recommend turning debugging on for sssd,
> sudo, looking through openldap logs for queries done by sssd. In addition,
> the next link might also help.
>
> https://jhrozek.livejournal.com/2065.html
>
>
I will bookmark this link.


> Let us know how it goes. I assumed your openldap is loading the sudo
> schema and you have configured at least one rule in openldap for sudo. In
> my environment I modified the sudo password prompt ( see option passprompt)
> , that way I can distinguish between a non-ldap sudo and sssd-enabled sudo
> :)
>
>
Yes I modified the passprompt too :-)


> Let us know how it goes ...
>
>

Appreciate your help!



>
> On 11/02/2017 03:13 PM, Asif Iqbal wrote:
>
>
>
> On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi  wrote:
>
>> What OS are you using ? I am using Centos 6  with RSA ( fixed password +
>> PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for
>> RSA and one for LDAP. If you need to ONLY use RSA w account lookup from
>> sssd/ldap, then you have to comment out the auth line related to
>> system-auth-ac in  /etc/pam.d/sshd. You also have to be careful what umask
>> are you using, make sure file perms is set to 0644 . Also if you run
>> authconfig to manage /etc/pam.d, your files may be overwritten, so you may
>> need to import custom setting into your deployment system i.e.
>> puppet/ansible.
>>
>> Have you set *ChallengeResponseAuthentication* to yes in
>> /etc/ssh/sshd_config ?
>>
>> Example of a system that uses RSA for sshd , so you get *only one*
>> password prompt:
>>
>> $ cat /etc/pam.d/sshd
>> #%PAM-1.0
>> auth   required pam_securid.so reserve
>> *#auth   include  system-auth-ac*
>> accountrequired pam_nologin.so
>> accountinclude  system-auth-ac
>> password   include  system-auth-ac
>> sessionoptional pam_keyinit.so force revoke
>> sessioninclude  system-auth-ac
>> sessionrequired pam_loginuid.so
>>
>> $ cat */etc/pam.d/system-auth-ac *
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> authrequired  pam_env.so
>> authsufficientpam_unix.so nullok try_first_pass
>> authrequisite pam_succeed_if.so uid >= 500 quiet
>> authsufficientpam_sss.so use_first_pass
>> authrequired  pam_deny.so
>>
>> account required  pam_unix.so
>> account sufficientpam_localuser.so
>> account sufficientpam_succeed_if.so uid < 500 quiet
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> account required  pam_permit.so
>>
>> passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
>> passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
>> use_authtok
>> passwordsufficientpam_sss.so use_authtok
>> passwordrequired  pam_deny.so
>>
>> session optional  pam_keyinit.so revoke
>> session required  pam_limits.so
>> session optional  pam_mkhomedir.so
>> session [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>> session required  pam_unix.so
>> session optional  pam_sss.so
>>
>
> I got it working with your config.
>
> I can ssh with OTP and it does check my LDAP attributes as well.
>
> I have auth_provider = ldap now as well so I can sudo auth based on LDAP.
>
> Howerver sudo is failing and here is my pam.d/sudo looks like
>
> [root@localhost vagrant]# cat /etc/pam.d/sudo
> #%PAM-1.0
> auth   include  system-auth-ac
> accountinclude

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-11-02 Thread Mario Rossi

There are a couple of things to check, older versions of sssd package 
sudo in a separate rpm and not all versions of sudo integrate with sssd, 
upgrade to the latest sudo package that your distro supports, just in case.


If sssd.conf has the proper refereces to sudo e.g.

services = nss, pam, sudo, ssh
.
[sudo]
# debug_level=9

[domain/XYZ]

sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=example,dc=net
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600

Additional troubleshooting steps:
Flush sssd cache just in case with  sss_cache -E , as root on the 
server, su to the user, do id -G myuser, id myuser, after which try 
logging in with ssh as the user and use sudo. List all sudo rules, as 
root, with: sudo -U myuser -l


I almost forgot, /etc/nsswitch.conf must have a sudoers line to point to 
sssd:

$ egrep sudo /etc/nsswitch.conf
sudoers:    files sss


If you still see issues , I would recommend turning debugging on for 
sssd, sudo, looking through openldap logs for queries done by sssd. In 
addition, the next link might also help.


https://jhrozek.livejournal.com/2065.html

Let us know how it goes. I assumed your openldap is loading the sudo 
schema and you have configured at least one rule in openldap for sudo. 
In my environment I modified the sudo password prompt ( see option 
passprompt) , that way I can distinguish between a non-ldap sudo and 
sssd-enabled sudo :)


Let us know how it goes ...


On 11/02/2017 03:13 PM, Asif Iqbal wrote:



On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi > wrote:


What OS are you using ? I am using Centos 6  with RSA ( fixed
password + PIN ) + sssd/ldap auth , so yes, that does give you
BOTH prompts, one for RSA and one for LDAP. If you need to ONLY
use RSA w account lookup from sssd/ldap, then you have to comment
out the auth line related to system-auth-ac in  /etc/pam.d/sshd.
You also have to be careful what umask are you using, make sure
file perms is set to 0644 . Also if you run authconfig to manage
/etc/pam.d, your files may be overwritten, so you may need to
import custom setting into your deployment system i.e.
puppet/ansible.

Have you set *ChallengeResponseAuthentication* to yes in
/etc/ssh/sshd_config ?

Example of a system that uses RSA for sshd , so you get *only one*
password prompt:

$ cat /etc/pam.d/sshd
#%PAM-1.0
auth   required pam_securid.so reserve
*#auth   include  system-auth-ac*
account    required pam_nologin.so
account    include  system-auth-ac
password   include  system-auth-ac
session    optional pam_keyinit.so force revoke
session    include  system-auth-ac
session    required pam_loginuid.so

$ cat */etc/pam.d/system-auth-ac *
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth    required pam_env.so
auth    sufficient    pam_unix.so nullok try_first_pass
auth    requisite pam_succeed_if.so uid >= 500 quiet
auth    sufficient    pam_sss.so use_first_pass
auth    required  pam_deny.so

account required  pam_unix.so
account sufficient    pam_localuser.so
account sufficient    pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

password    requisite pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session optional  pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid
session required  pam_unix.so
session optional  pam_sss.so


I got it working with your config.

I can ssh with OTP and it does check my LDAP attributes as well.

I have auth_provider = ldap now as well so I can sudo auth based on LDAP.

Howerver sudo is failing and here is my pam.d/sudo looks like

[root@localhost vagrant]# cat /etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth-ac
account    include      system-auth-ac
password   include      system-auth-ac
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

$ sudo -s
[sudo] password for iqbala:
sudo: account validation failure, is your account locked?

It is not locked in LDAP and I checked.

Any suggestion what is going wrong there? I am using your system-auth-ac







On 10/27/2017 10:27 AM, Asif Iqbal wrote:

This setup also failed miserably where pam.d/sshd first two lines
like below

auth       required

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-11-02 Thread Asif Iqbal

On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi  wrote:

> What OS are you using ? I am using Centos 6  with RSA ( fixed password +
> PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for
> RSA and one for LDAP. If you need to ONLY use RSA w account lookup from
> sssd/ldap, then you have to comment out the auth line related to
> system-auth-ac in  /etc/pam.d/sshd. You also have to be careful what umask
> are you using, make sure file perms is set to 0644 . Also if you run
> authconfig to manage /etc/pam.d, your files may be overwritten, so you may
> need to import custom setting into your deployment system i.e.
> puppet/ansible.
>
> Have you set *ChallengeResponseAuthentication* to yes in
> /etc/ssh/sshd_config ?
>
> Example of a system that uses RSA for sshd , so you get *only one*
> password prompt:
>
> $ cat /etc/pam.d/sshd
> #%PAM-1.0
> auth   required pam_securid.so reserve
> *#auth   include  system-auth-ac*
> accountrequired pam_nologin.so
> accountinclude  system-auth-ac
> password   include  system-auth-ac
> sessionoptional pam_keyinit.so force revoke
> sessioninclude  system-auth-ac
> sessionrequired pam_loginuid.so
>
> $ cat */etc/pam.d/system-auth-ac *
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  pam_env.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 500 quiet
> authsufficientpam_sss.so use_first_pass
> authrequired  pam_deny.so
>
> account required  pam_unix.so
> account sufficientpam_localuser.so
> account sufficientpam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required  pam_permit.so
>
> passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
> passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> passwordsufficientpam_sss.so use_authtok
> passwordrequired  pam_deny.so
>
> session optional  pam_keyinit.so revoke
> session required  pam_limits.so
> session optional  pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required  pam_unix.so
> session optional  pam_sss.so
>

I got it working with your config.

I can ssh with OTP and it does check my LDAP attributes as well.

I have auth_provider = ldap now as well so I can sudo auth based on LDAP.

Howerver sudo is failing and here is my pam.d/sudo looks like

[root@localhost vagrant]# cat /etc/pam.d/sudo
#%PAM-1.0
auth   include  system-auth-ac
accountinclude  system-auth-ac
password   include  system-auth-ac
sessionoptional pam_keyinit.so revoke
sessionrequired pam_limits.so

$ sudo -s
[sudo] password for iqbala:
sudo: account validation failure, is your account locked?

It is not locked in LDAP and I checked.

Any suggestion what is going wrong there? I am using your system-auth-ac







>
> On 10/27/2017 10:27 AM, Asif Iqbal wrote:
>
> This setup also failed miserably where pam.d/sshd first two lines like
> below
>
> auth   required pam_securid.so
> auth   include  system-auth-ac_new
>
> And using your pam.d/system-auth-ac_new
>
> So it does give you the right prompt 'Enter SMS Token:' when just put PIN
> at first login prompt. But after putting SMS token on the next prompt
> it goes back to Password: prompt again. Even worse is now it does not even
> work with giving both PIN and TokenCode at the first prompt either.
>
> Any other suggestion? Does anyone work with SSS and OTP at all?
>
> Seems like I should just not use sss since OTP is a *must* requirement.
>
>
>
>
>
> On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi  wrote:
>
>>
>> My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your
>> users, the easiest would be to configure sd_pam.conf to use a different
>> prompt for RSA.
>>
>> $ egrep ^AUTH /etc/sd_pam.conf
>> AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
>> AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root
>> :
>> AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey :
>> AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
>>
>> Now back to your question, I believe you need to define a new system-auth
>> file to be used, in my case
>> system-auth-ac_new with custom pam config. This is a working rsa + sssd
>> (openldap ) setup, I am not sure about proxy as I haven't used it before.
>>
>>
>> $ cat /etc/pam.d/sshd
>> #%PAM-1.0
>> auth   required pam_securid.so reserve
>> auth   include  system-auth-ac_new
>> accountrequired pam_nologin.so
>> accountinclude  system-auth-ac_new
>> password   include  system-auth-ac_new
>> sessionoptional

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-27 Thread Asif Iqbal

I am using centos 7.

What are you using your auth_provider ?

Here is my config today. Once it is working I will make sure puppet keeps
it in line and if gets overwritten by authconfig. But I need to first make
sure if is working, which is not the case today.

$ cat /etc/sssd/sssd.conf
...

*auth_provider = proxy*
*proxy_pam_target = securid*
...

$ cat /etc/pam.d/sshd
#%PAM-1.0
authrequired pam_sepermit.so
*auth   substack password-auth*
auth   include  postlogin
# Used with polkit to reauthorize users in remote sessions
-auth  optional pam_reauthorize.so prepare
accountrequired pam_nologin.so
accountinclude  password-auth
password   include  password-auth
# pam_selinux.so close should be the first session rule
sessionrequired pam_selinux.so close
sessionrequired pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
sessionrequired pam_selinux.so open env_params
sessionrequired pam_namespace.so
sessionoptional pam_keyinit.so force revoke
sessionoptional pam_exec.so /usr/local/bin/apply-quota.sh
#sessionoptionalpam_exec.so log=/tmp/pam_exec.log
/usr/local/bin/ipsystems.sh
sessionoptional pam_exec.so /usr/local/bin/ipsystems.sh
sessioninclude  password-auth
sessioninclude  postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional pam_reauthorize.so prepare

$ cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
auth[default=1 success=ok] pam_localuser.so
auth[success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
authrequisite pam_succeed_if.so uid >= 999 quiet_success
*authsufficientpam_sss.so forward_pass*
authrequired  pam_deny.so

account required  pam_unix.so
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

passwordrequisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
use_authtok
passwordsufficientpam_sss.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
-session optional  pam_systemd.so
session optional  pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required  pam_unix.so
session optional  pam_sss.so

$ cat /etc/pam.d/securid
*auth sufficient pam_radius_auth.so*

There is no reserve option for pam_radius_auth. I am using pam_radius_auth
to connect to my RSA securid server
and it has been working on all my solaris, ubuntu, centos for last 15+ yrs.

These are the only options available
https://github.com/FreeRADIUS/pam_radius/blob/master/USAGE





On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi  wrote:

> What OS are you using ? I am using Centos 6  with RSA ( fixed password +
> PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for
> RSA and one for LDAP. If you need to ONLY use RSA w account lookup from
> sssd/ldap, then you have to comment out the auth line related to
> system-auth-ac in  /etc/pam.d/sshd. You also have to be careful what umask
> are you using, make sure file perms is set to 0644 . Also if you run
> authconfig to manage /etc/pam.d, your files may be overwritten, so you may
> need to import custom setting into your deployment system i.e.
> puppet/ansible.
>
> Have you set *ChallengeResponseAuthentication* to yes in
> /etc/ssh/sshd_config ?
>
> Example of a system that uses RSA for sshd , so you get *only one*
> password prompt:
>
> $ cat /etc/pam.d/sshd
> #%PAM-1.0
> auth   required pam_securid.so reserve
> *#auth   include  system-auth-ac*
> accountrequired pam_nologin.so
> accountinclude  system-auth-ac
> password   include  system-auth-ac
> sessionoptional pam_keyinit.so force revoke
> sessioninclude  system-auth-ac
> sessionrequired pam_loginuid.so
>
> $ cat */etc/pam.d/system-auth-ac *
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  pam_env.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 500 quiet
> authsufficientpam_sss.so use_first_pass
> authrequired  pam_deny.so
>
> account required  pam_unix.so
> account sufficientpam_localuser.so
> account sufficient

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-27 Thread Mario Rossi

What OS are you using ? I am using Centos 6 with RSA ( fixed password + 
PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one 
for RSA and one for LDAP. If you need to ONLY use RSA w account lookup 
from sssd/ldap, then you have to comment out the auth line related to 
system-auth-ac in /etc/pam.d/sshd. You also have to be careful what 
umask are you using, make sure file perms is set to 0644 . Also if you 
run authconfig to manage /etc/pam.d, your files may be overwritten, so 
you may need to import custom setting into your deployment system i.e. 
puppet/ansible.


Have you set *ChallengeResponseAuthentication* to yes in 
/etc/ssh/sshd_config ?


Example of a system that uses RSA for sshd , so you get *only one* 
password prompt:


$ cat /etc/pam.d/sshd
#%PAM-1.0
auth   required pam_securid.so reserve
*#auth   include  system-auth-ac*
account    required pam_nologin.so
account    include  system-auth-ac
password   include  system-auth-ac
session    optional pam_keyinit.so force revoke
session    include  system-auth-ac
session    required pam_loginuid.so

$ cat */etc/pam.d/system-auth-ac *
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth    required  pam_env.so
auth    sufficient    pam_unix.so nullok try_first_pass
auth    requisite pam_succeed_if.so uid >= 500 quiet
auth    sufficient    pam_sss.so use_first_pass
auth    required  pam_deny.so

account required  pam_unix.so
account sufficient    pam_localuser.so
account sufficient    pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required  pam_permit.so

password    requisite pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok

password    sufficient    pam_sss.so use_authtok
password    required  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_limits.so
session optional  pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid

session required  pam_unix.so
session optional  pam_sss.so

On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like 
below


auth       required     pam_securid.so
auth       include      system-auth-ac_new

And using your pam.d/system-auth-ac_new

So it does give you the right prompt 'Enter SMS Token:' when just put 
PIN at first login prompt. But after putting SMS token on the next prompt
it goes back to Password: prompt again. Even worse is now it does not 
even work with giving both PIN and TokenCode at the first prompt either.


Any other suggestion? Does anyone work with SSS and OTP at all?

Seems like I should just not use sss since OTP is a *must* requirement.





On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi > wrote:



My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse
your users, the easiest would be to configure sd_pam.conf to use a
different prompt for RSA.

$ egrep ^AUTH /etc/sd_pam.conf
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password
for root :
AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey :
AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :

Now back to your question, I believe you need to define a new
system-auth file to be used, in my case
system-auth-ac_new with custom pam config. This is a working rsa +
sssd (openldap ) setup, I am not sure about proxy as I haven't
used it before.


$ cat /etc/pam.d/sshd
#%PAM-1.0
auth   required pam_securid.so reserve
auth   include  system-auth-ac_new
account    required pam_nologin.so
account    include  system-auth-ac_new
password   include  system-auth-ac_new
session    optional pam_keyinit.so force revoke
session    include  system-auth-ac_new
session    required pam_loginuid.so

$ cat /etc/pam.d/system-auth-ac_new
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth    sufficient    pam_sss.so
auth    required  pam_env.so
auth    sufficient    pam_unix.so nullok try_first_pass
auth    requisite pam_succeed_if.so uid >= 500 quiet
auth    required  pam_deny.so

account [default=bad success=ok user_unknown=ignore] pam_sss.so
#account required  pam_access.so
account required  pam_unix.so broken_shadow
account sufficient    pam_localuser.so
account sufficient    pam_succeed_if.so uid < 500 quiet
account required  pam_permit.so

password

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-27 Thread Asif Iqbal

This setup also failed miserably where pam.d/sshd first two lines like below

auth   required pam_securid.so
auth   include  system-auth-ac_new

And using your pam.d/system-auth-ac_new

So it does give you the right prompt 'Enter SMS Token:' when just put PIN
at first login prompt. But after putting SMS token on the next prompt
it goes back to Password: prompt again. Even worse is now it does not even
work with giving both PIN and TokenCode at the first prompt either.

Any other suggestion? Does anyone work with SSS and OTP at all?

Seems like I should just not use sss since OTP is a *must* requirement.





On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi  wrote:

>
> My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your
> users, the easiest would be to configure sd_pam.conf to use a different
> prompt for RSA.
>
> $ egrep ^AUTH /etc/sd_pam.conf
> AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
> AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
> AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey :
> AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
>
> Now back to your question, I believe you need to define a new system-auth
> file to be used, in my case
> system-auth-ac_new with custom pam config. This is a working rsa + sssd
> (openldap ) setup, I am not sure about proxy as I haven't used it before.
>
>
> $ cat /etc/pam.d/sshd
> #%PAM-1.0
> auth   required pam_securid.so reserve
> auth   include  system-auth-ac_new
> accountrequired pam_nologin.so
> accountinclude  system-auth-ac_new
> password   include  system-auth-ac_new
> sessionoptional pam_keyinit.so force revoke
> sessioninclude  system-auth-ac_new
> sessionrequired pam_loginuid.so
>
> $ cat /etc/pam.d/system-auth-ac_new
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authsufficientpam_sss.so
> authrequired  pam_env.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 500 quiet
> authrequired  pam_deny.so
>
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> #account required  pam_access.so
> account required  pam_unix.so broken_shadow
> account sufficientpam_localuser.so
> account sufficientpam_succeed_if.so uid < 500 quiet
> account required  pam_permit.so
>
> passwordsufficientpam_sss.so use_authtok
> passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
> passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> passwordrequired  pam_deny.so
>
> session optional  pam_sss.so
> session optional  pam_keyinit.so revoke
> session required  pam_limits.so
> session optional  pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required  pam_unix.so
>
> On 10/26/2017 07:34 PM, Asif Iqbal wrote:
>
> With pam_securid.so
>
> I can on /etc/pam.d/sshd
>
>auth sufficient pam_securid.so
>
> and at ssh login, I just put PIN at Password: prompt and then I get Enter
> SMS Token: prompt and I can then put the
> tokencode and I can ssh into the server fine.
>
> If I do the same with pam_sss.so it keeps asking for Password: and never
> changes the prompt to Enter SMS Token: and ssh fails badly.
> At this second Password: prompt I tried with just tokencode (at 18:45:34
> in log below) or PIN and tokencode (at 18:47:55). Neither let
> me in and failed eventually.
>
> I think it is because pam_sss -> proxy -> securid -> pam_securd is failing
> to handle PAM conversation?
>
> Is there a way to fix that to so pam_sss to behave the right way and let
> authenticate in two steps with PIN and then TokenCode on next step?
>
> Also without this PAM conversation, when the PIN expires it will not let
> you update it. With simple pam.d/sshd and auth sufficient pam_securid.so
> that works very well as well.
>
> I have sssd.conf setup like this
>auth_server = proxy
>proxy_target_pam = securid
>
> And in pam.d/securid file
>   auth sufficient pam_securid.so
>
> Here are some log http://dpaste.com/2HD27XH.txt where
>I tried with PIN at first Password: prompt and then TokenCode at second
> Password: prompt at 18:45:34 and failed to login
> And
>I tried with PIN at first Password: prompt and then PIN and TokenCode
> at second Password: prompt at 18:47:55 and failed to login
>
> I tried with SElinux off and on and same result
>
> If I put PIN and TokenCode at the first Password: prompt, login works fine
> . I did not put any log for that here.
>
> Any suggestion how to fix pam_sss for OTP?
>
> Thanks!
>
>
>
>
>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read

[SSSD-users] Re: sssd with OTP does not work in all cases.

2017-10-26 Thread Mario Rossi



My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your 
users, the easiest would be to configure sd_pam.conf to use a different 
prompt for RSA.


$ egrep ^AUTH /etc/sd_pam.conf
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey :
AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :

Now back to your question, I believe you need to define a new 
system-auth file to be used, in my case
system-auth-ac_new with custom pam config. This is a working rsa + sssd 
(openldap ) setup, I am not sure about proxy as I haven't used it before.



$ cat /etc/pam.d/sshd
#%PAM-1.0
auth   required pam_securid.so reserve
auth   include  system-auth-ac_new
account    required pam_nologin.so
account    include  system-auth-ac_new
password   include  system-auth-ac_new
session    optional pam_keyinit.so force revoke
session    include  system-auth-ac_new
session    required pam_loginuid.so

$ cat /etc/pam.d/system-auth-ac_new
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth    sufficient    pam_sss.so
auth    required  pam_env.so
auth    sufficient    pam_unix.so nullok try_first_pass
auth    requisite pam_succeed_if.so uid >= 500 quiet
auth    required  pam_deny.so

account [default=bad success=ok user_unknown=ignore] pam_sss.so
#account required  pam_access.so
account required  pam_unix.so broken_shadow
account sufficient    pam_localuser.so
account sufficient    pam_succeed_if.so uid < 500 quiet
account required  pam_permit.so

password    sufficient    pam_sss.so use_authtok
password    requisite pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok 
try_first_pass use_authtok

password    required  pam_deny.so

session optional  pam_sss.so
session optional  pam_keyinit.so revoke
session required  pam_limits.so
session optional  pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in 
crond quiet use_uid

session required  pam_unix.so

On 10/26/2017 07:34 PM, Asif Iqbal wrote:

With pam_securid.so

I can on /etc/pam.d/sshd

   auth sufficient pam_securid.so

and at ssh login, I just put PIN at Password: prompt and then I get 
Enter SMS Token: prompt and I can then put the

tokencode and I can ssh into the server fine.

If I do the same with pam_sss.so it keeps asking for Password: and 
never changes the prompt to Enter SMS Token: and ssh fails badly.
At this second Password: prompt I tried with just tokencode (at 
18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let

me in and failed eventually.

I think it is because pam_sss -> proxy -> securid -> pam_securd is 
failing to handle PAM conversation?


Is there a way to fix that to so pam_sss to behave the right way and 
let authenticate in two steps with PIN and then TokenCode on next step?


Also without this PAM conversation, when the PIN expires it will not 
let you update it. With simple pam.d/sshd and auth sufficient 
pam_securid.so

that works very well as well.

I have sssd.conf setup like this
   auth_server = proxy
   proxy_target_pam = securid

And in pam.d/securid file
  auth sufficient pam_securid.so

Here are some log http://dpaste.com/2HD27XH.txt where
   I tried with PIN at first Password: prompt and then TokenCode at 
second Password: prompt at 18:45:34 and failed to login

And
   I tried with PIN at first Password: prompt and then PIN and 
TokenCode at second Password: prompt at 18:47:55 and failed to login


I tried with SElinux off and on and same result

If I put PIN and TokenCode at the first Password: prompt, login works 
fine . I did not put any log for that here.


Any suggestion how to fix pam_sss for OTP?

Thanks!







--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?



___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: sssd with OTP does not work in all cases.

[SSSD-users] Re: sssd with OTP does not work in all cases.

[SSSD-users] Re: sssd with OTP does not work in all cases.

[SSSD-users] Re: sssd with OTP does not work in all cases.

[SSSD-users] Re: sssd with OTP does not work in all cases.

[SSSD-users] Re: sssd with OTP does not work in all cases.

[SSSD-users] Re: sssd with OTP does not work in all cases.

7 matches

Site Navigation

Mail list logo

Footer information