I decided to use PrivacyIDEA to enforce security on my hobby server. Specifically, I want to have a 2nd factor (email or SMS) sent when I (or someone else…) try to log on SSH or su as root…
Obviously, I don’t have any RADIUS or AD and I only “local” /etc/passwd authentification… and I don’t want PrivacyIDEA to manage that first authentification.
My main use case is: log on the server / enter “local” password / being prompt for OTP code / receive OTP code by mail or SMS (or maybe both ? I don’t see that possible… but maybe I didn’t look enough) / enter OTP code
I managed to install the agent on the server and update the common-auth-pi with:
auth [success=ignore default=1] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_python.so /etc/privateidea/privateidea_pam.py \ url=https://monserveur realm=monrealm auth requisite pam_deny.so auth required pam_permit.so
However, when I try to login:
- I’m prompted for my local password => OK
- I’m prompted for an OTP PIN (“Your OTP”) => That’s the problem
- I’m prompted for the OTP Code that I received => OK
Actually, I don’t set any OTP PIN on my tokens. I don’t see the point for MY specific use case (I’m sure it’s important in other use cases)
So, at step 2, I just hit enter (empty OTP PIN) and everything goes smooth
But I was wondering if it would be possible to just disable the OTP PIN and send directly the email ?
I configured the “otppin=none” policy but it doesn’t seem to be useful for my use case: the OTP PIN still show
I looked at the privacyidea_pam.py source code and found that the only way to disable that OTP PIN would be to use try_first_pass but that wouldn’t work in my case because it would send my local password as a password for privacyIDEA and wouldn’t work too (I don’t synchronise local passwords and privacyIDEA passwords)
Did I miss something ?
Right now, it seem to me that I would need to add some “no_otppin” configuration flag for privacyidea_pam.py and patch the script to manage it (sending automatically an empty password in the first message to trigger the email sending)
Do you see another way to do it ?
Thanks a lot