AW: Re: Re: pam Module fails to authenticate against server?

Question
1

Hi Jochen,
Thanks for pointing this out. Maybe Jojo can take a look if this can be integrated into the PI PAM module.
I do not like this a lot, since most of the U2F tokens are preseeded with a master key. This is why I personally do not like to use them.
Kind regards Cornelius

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797

iamohtep@gmail.com writes:

It would be great if the PAM Plugin could also handle U2F token
authentications.

There is a (small) pam-u2f module from yubico:

Not integrated into privacyidea, but it might give a hint how that could
be implemented.

I suppose it would also
really be beneficial if the privacyidea server itself has a 2FA mechanism
for user authentication using the WebUI.

That’s already possible with a webui policy: set login_mode to
‘privacyIDEA’. I use that for my admin realm (but not with U2F tokens).

Jochen-------- Ursprüngliche Nachricht --------Von: Jochen Hein jochen@jochen.org Datum: 07.04.17 06:23 (GMT+01:00) An: iamohtep@gmail.com Cc: privacyidea privacyidea@googlegroups.com Betreff: Re: [privacyidea] Re: pam Module fails to authenticate against server?


This space is intentionally left blank.


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to a topic in the Google Groups “privacyidea” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/83y3vcsv64.fsf%40jochen.org.
For more options, visit https://groups.google.com/d/optout.

2

Please try to understand the concept and workflow of challenge response tokens.
The great thing about privacyidea is that it is all open source and you can enhance it to your needs.
We are looking forward to your pull requests.
Kind regards Cornelius

Cornelius Kölbel +49 151 2960 1417
NetKnights GmbHHttp://NetKnights. It
+49 561 3166 797-------- Ursprüngliche Nachricht --------Von: iamohtep@gmail.com Datum: 07.04.17 12:01 (GMT+01:00) An: privacyidea privacyidea@googlegroups.com Betreff: Re: [privacyidea] Re: pam Module fails to authenticate against server?

First of all, thanks and your Product has a lot of potential. With regards to the prompting… Here what i mean is the the default prompt when you dont have the parameter “prompt=any_prompt_you_want” in the PAM module. The problem here is that it still prompts the default prompt (which is Your OTP: ) eventhough i only have a SMS Token.

On the Terminal:
ssh 2fauser@2fa-server.domain.de
Password:
Warning: Your password will expire in 176 days on Sun Oct 1 00:59:58 2017
Your OTP:
Enter the OTP from the SMS:

after I press the Return Key/ Enter without typing anything after the “Your OTP:”, that is the time the “Enter the OTP from the SMS” is prompted. This part is a little

Here is my PAM config:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth requisite pam_python.so /lib/security/privacyidea_pam.py url=https://2fa-server.domain.de nosslverify debug
auth required pam_permit.so

tokens available and disabled- please see attached Photo

If the user has several tokens, like HOTP or TOTP, the user simple uses one of his tokens, and privacyIDEA will realize, which one it was.

This is what I am talking about… If the user has many available tokens, the Module should be able to provide a handling option as to what token should be used. If for example, userx forgot his Handy but have 3 available Tokens. He can choose to use 1 of those and authenticate using the chosen token. This handling should be (in my opinion) provided upon the authentication request againt the PI server.

Best regards,
Jojo

Please read the blog post about getting help

https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor authentication please visit

https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT which suites your needs for SECURITY, AVAILABILITY and LIABILITY:

https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to a topic in the Google Groups “privacyidea” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/privacyidea/xF77-4xK0Xc/unsubscribe.

To unsubscribe from this group and all its topics, send an email to privacyidea+unsubscribe@googlegroups.com.

To post to this group, send email to privacyidea@googlegroups.com.

Visit this group at https://groups.google.com/group/privacyidea.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/c692ed8c-373a-4b46-b71f-6b56efa3cc76%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.