Disable PAM Agent prompt when OTP PIN is empty?

misterm · January 8, 2021, 1:05pm

Hello

I decided to use PrivacyIDEA to enforce security on my hobby server. Specifically, I want to have a 2nd factor (email or SMS) sent when I (or someone else…) try to log on SSH or su as root…
Obviously, I don’t have any RADIUS or AD and I only “local” /etc/passwd authentification… and I don’t want PrivacyIDEA to manage that first authentification.

My main use case is: log on the server / enter “local” password / being prompt for OTP code / receive OTP code by mail or SMS (or maybe both ? I don’t see that possible… but maybe I didn’t look enough) / enter OTP code

I managed to install the agent on the server and update the common-auth-pi with:

auth    [success=ignore default=1]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_python.so /etc/privateidea/privateidea_pam.py \
                                                      url=https://monserveur realm=monrealm
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

However, when I try to login:

I’m prompted for my local password => OK
I’m prompted for an OTP PIN (“Your OTP”) => That’s the problem
I’m prompted for the OTP Code that I received => OK

Actually, I don’t set any OTP PIN on my tokens. I don’t see the point for MY specific use case (I’m sure it’s important in other use cases)
So, at step 2, I just hit enter (empty OTP PIN) and everything goes smooth
But I was wondering if it would be possible to just disable the OTP PIN and send directly the email ?

I configured the “otppin=none” policy but it doesn’t seem to be useful for my use case: the OTP PIN still show

I looked at the privacyidea_pam.py source code and found that the only way to disable that OTP PIN would be to use try_first_pass but that wouldn’t work in my case because it would send my local password as a password for privacyIDEA and wouldn’t work too (I don’t synchronise local passwords and privacyIDEA passwords)

Did I miss something ?

Right now, it seem to me that I would need to add some “no_otppin” configuration flag for privacyidea_pam.py and patch the script to manage it (sending automatically an empty password in the first message to trigger the email sending)

Do you see another way to do it ?

Thanks a lot

cornelinux · January 8, 2021, 5:38pm

privacyIDEA needs something, i.e. the PIN to trigger the sending of an SMS/Email.
So you need to “talk” to privacyIDEA initially. This is, when you hit the “empty Enter”. In this case an “emtpy OTP PIN” is sent to privacyIDEA. Since this is the correct PIN (empty), the SMS is triggered.

This would be the only way to achieve this, without allowing an empty PIN to trigger the SMS.

You are right. This would be a way to go. But after all: Do your really want an “attacker” with access to the privacyIDEA API to be able to trigger an SMS?

Note: privacyIDEA allows triggering the SMS with an administrative account. (To allow “empty PINs” but avoid an attacker to trigger SMS). But in this case you would have to heavily enhance the PAM module.

Hope this helps for background info/understanding.