What OS are you using ? I am using Centos 6 with RSA ( fixed password +
PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one
for RSA and one for LDAP. If you need to ONLY use RSA w account lookup
from sssd/ldap, then you have to comment out the auth line related to
system-auth-ac in /etc/pam.d/sshd. You also have to be careful what
umask are you using, make sure file perms is set to 0644 . Also if you
run authconfig to manage /etc/pam.d, your files may be overwritten, so
you may need to import custom setting into your deployment system i.e.
puppet/ansible.
Have you set *ChallengeResponseAuthentication* to yes in
/etc/ssh/sshd_config ?
Example of a system that uses RSA for sshd , so you get *only one*
password prompt:
$ cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securid.so reserve
*#auth include system-auth-ac*
account required pam_nologin.so
account include system-auth-ac
password include system-auth-ac
session optional pam_keyinit.so force revoke
session include system-auth-ac
session required pam_loginuid.so
$ cat */etc/pam.d/system-auth-ac *
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like
below
auth required pam_securid.so
auth include system-auth-ac_new
And using your pam.d/system-auth-ac_new
So it does give you the right prompt 'Enter SMS Token:' when just put
PIN at first login prompt. But after putting SMS token on the next prompt
it goes back to Password: prompt again. Even worse is now it does not
even work with giving both PIN and TokenCode at the first prompt either.
Any other suggestion? Does anyone work with SSS and OTP at all?
Seems like I should just not use sss since OTP is a *must* requirement.
On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <mro...@hostopia.com
<mailto:mro...@hostopia.com>> wrote:
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse
your users, the easiest would be to configure sd_pam.conf to use a
different prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password
for root :
AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey :
AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
Now back to your question, I believe you need to define a new
system-auth file to be used, in my case
system-auth-ac_new with custom pam config. This is a working rsa +
sssd (openldap ) setup, I am not sure about proxy as I haven't
used it before.
$ cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securid.so reserve
auth include system-auth-ac_new
account required pam_nologin.so
account include system-auth-ac_new
password include system-auth-ac_new
session optional pam_keyinit.so force revoke
session include system-auth-ac_new
session required pam_loginuid.so
$ cat /etc/pam.d/system-auth-ac_new
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth sufficient pam_sss.so
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
#account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password sufficient pam_sss.so use_authtok
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password required pam_deny.so
session optional pam_sss.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid
session required pam_unix.so
On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so
I can on /etc/pam.d/sshd
auth sufficient pam_securid.so
and at ssh login, I just put PIN at Password: prompt and then I
get Enter SMS Token: prompt and I can then put the
tokencode and I can ssh into the server fine.
If I do the same with pam_sss.so it keeps asking for Password:
and never changes the prompt to Enter SMS Token: and ssh fails badly.
At this second Password: prompt I tried with just tokencode (at
18:45:34 in log below) or PIN and tokencode (at 18:47:55).
Neither let
me in and failed eventually.
I think it is because pam_sss -> proxy -> securid -> pam_securd
is failing to handle PAM conversation?
Is there a way to fix that to so pam_sss to behave the right way
and let authenticate in two steps with PIN and then TokenCode on
next step?
Also without this PAM conversation, when the PIN expires it will
not let you update it. With simple pam.d/sshd and auth sufficient
pam_securid.so
that works very well as well.
I have sssd.conf setup like this
auth_server = proxy
proxy_target_pam = securid
And in pam.d/securid file
auth sufficient pam_securid.so
Here are some log http://dpaste.com/2HD27XH.txt where
I tried with PIN at first Password: prompt and then TokenCode
at second Password: prompt at 18:45:34 and failed to login
And
I tried with PIN at first Password: prompt and then PIN and
TokenCode at second Password: prompt at 18:47:55 and failed to login
I tried with SElinux off and on and same result
If I put PIN and TokenCode at the first Password: prompt, login
works fine . I did not put any log for that here.
Any suggestion how to fix pam_sss for OTP?
Thanks!
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu>
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
_______________________________________________
sssd-users mailing list --sssd-users@lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email tosssd-users-le...@lists.fedorahosted.org
<mailto:sssd-users-le...@lists.fedorahosted.org>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu <http://pgp.mit.edu>
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
