I am using centos 7. What are you using your auth_provider ?
Here is my config today. Once it is working I will make sure puppet keeps it in line and if gets overwritten by authconfig. But I need to first make sure if is working, which is not the case today. $ cat /etc/sssd/sssd.conf ... *auth_provider = proxy * *proxy_pam_target = securid* ... $ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so *auth substack password-auth* auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session optional pam_exec.so /usr/local/bin/apply-quota.sh #session optional pam_exec.so log=/tmp/pam_exec.log /usr/local/bin/ipsystems.sh session optional pam_exec.so /usr/local/bin/ipsystems.sh session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare $ cat /etc/pam.d/password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 999 quiet_success *auth sufficient pam_sss.so forward_pass* auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so $ cat /etc/pam.d/securid *auth sufficient pam_radius_auth.so* There is no reserve option for pam_radius_auth. I am using pam_radius_auth to connect to my RSA securid server and it has been working on all my solaris, ubuntu, centos for last 15+ yrs. These are the only options available https://github.com/FreeRADIUS/pam_radius/blob/master/USAGE On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi <mro...@hostopia.com> wrote: > What OS are you using ? I am using Centos 6 with RSA ( fixed password + > PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for > RSA and one for LDAP. If you need to ONLY use RSA w account lookup from > sssd/ldap, then you have to comment out the auth line related to > system-auth-ac in /etc/pam.d/sshd. You also have to be careful what umask > are you using, make sure file perms is set to 0644 . Also if you run > authconfig to manage /etc/pam.d, your files may be overwritten, so you may > need to import custom setting into your deployment system i.e. > puppet/ansible. > > Have you set *ChallengeResponseAuthentication* to yes in > /etc/ssh/sshd_config ? > > Example of a system that uses RSA for sshd , so you get *only one* > password prompt: > > $ cat /etc/pam.d/sshd > #%PAM-1.0 > auth required pam_securid.so reserve > *#auth include system-auth-ac* > account required pam_nologin.so > account include system-auth-ac > password include system-auth-ac > session optional pam_keyinit.so force revoke > session include system-auth-ac > session required pam_loginuid.so > > $ cat */etc/pam.d/system-auth-ac * > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_sss.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > > On 10/27/2017 10:27 AM, Asif Iqbal wrote: > > This setup also failed miserably where pam.d/sshd first two lines like > below > > auth required pam_securid.so > auth include system-auth-ac_new > > And using your pam.d/system-auth-ac_new > > So it does give you the right prompt 'Enter SMS Token:' when just put PIN > at first login prompt. But after putting SMS token on the next prompt > it goes back to Password: prompt again. Even worse is now it does not even > work with giving both PIN and TokenCode at the first prompt either. > > Any other suggestion? Does anyone work with SSS and OTP at all? > > Seems like I should just not use sss since OTP is a *must* requirement. > > > > > > On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <mro...@hostopia.com> wrote: > >> >> My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your >> users, the easiest would be to configure sd_pam.conf to use a different >> prompt for RSA. >> >> $ egrep ^AUTH /etc/sd_pam.conf >> AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME : >> AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root >> : >> AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey : >> AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey : >> >> Now back to your question, I believe you need to define a new system-auth >> file to be used, in my case >> system-auth-ac_new with custom pam config. This is a working rsa + sssd >> (openldap ) setup, I am not sure about proxy as I haven't used it before. >> >> >> $ cat /etc/pam.d/sshd >> #%PAM-1.0 >> auth required pam_securid.so reserve >> auth include system-auth-ac_new >> account required pam_nologin.so >> account include system-auth-ac_new >> password include system-auth-ac_new >> session optional pam_keyinit.so force revoke >> session include system-auth-ac_new >> session required pam_loginuid.so >> >> $ cat /etc/pam.d/system-auth-ac_new >> #%PAM-1.0 >> # This file is auto-generated. >> # User changes will be destroyed the next time authconfig is run. >> auth sufficient pam_sss.so >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth required pam_deny.so >> >> account [default=bad success=ok user_unknown=ignore] pam_sss.so >> #account required pam_access.so >> account required pam_unix.so broken_shadow >> account sufficient pam_localuser.so >> account sufficient pam_succeed_if.so uid < 500 quiet >> account required pam_permit.so >> >> password sufficient pam_sss.so use_authtok >> password requisite pam_cracklib.so try_first_pass retry=3 type= >> password sufficient pam_unix.so sha512 shadow nullok try_first_pass >> use_authtok >> password required pam_deny.so >> >> session optional pam_sss.so >> session optional pam_keyinit.so revoke >> session required pam_limits.so >> session optional pam_mkhomedir.so >> session [success=1 default=ignore] pam_succeed_if.so service in crond >> quiet use_uid >> session required pam_unix.so >> >> On 10/26/2017 07:34 PM, Asif Iqbal wrote: >> >> With pam_securid.so >> >> I can on /etc/pam.d/sshd >> >> auth sufficient pam_securid.so >> >> and at ssh login, I just put PIN at Password: prompt and then I get Enter >> SMS Token: prompt and I can then put the >> tokencode and I can ssh into the server fine. >> >> If I do the same with pam_sss.so it keeps asking for Password: and never >> changes the prompt to Enter SMS Token: and ssh fails badly. >> At this second Password: prompt I tried with just tokencode (at 18:45:34 >> in log below) or PIN and tokencode (at 18:47:55). Neither let >> me in and failed eventually. >> >> I think it is because pam_sss -> proxy -> securid -> pam_securd is >> failing to handle PAM conversation? >> >> Is there a way to fix that to so pam_sss to behave the right way and let >> authenticate in two steps with PIN and then TokenCode on next step? >> >> Also without this PAM conversation, when the PIN expires it will not let >> you update it. With simple pam.d/sshd and auth sufficient pam_securid.so >> that works very well as well. >> >> I have sssd.conf setup like this >> auth_server = proxy >> proxy_target_pam = securid >> >> And in pam.d/securid file >> auth sufficient pam_securid.so >> >> Here are some log http://dpaste.com/2HD27XH.txt where >> I tried with PIN at first Password: prompt and then TokenCode at >> second Password: prompt at 18:45:34 and failed to login >> And >> I tried with PIN at first Password: prompt and then PIN and TokenCode >> at second Password: prompt at 18:47:55 and failed to login >> >> I tried with SElinux off and on and same result >> >> If I put PIN and TokenCode at the first Password: prompt, login works >> fine . I did not put any log for that here. >> >> Any suggestion how to fix pam_sss for OTP? >> >> Thanks! >> >> >> >> >> >> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> >> >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> >> >> > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > > > -- Asif Iqbal
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org