Hi all,
I need to add the 2nd factor check after the 1st factor login returns OK. I installed pam_python.so and from debug logs I can see that it calls the module privacyidea_pam.py. The problem is that this modules runs without prompting for the OTP, sending the username and I dunno what else to the privacyIDEA URL.
In the audit section of privacyIDEA GUI, I can see the POST action with /validate /check resulting in a failure with “wrong otp pin” status (of course, since privacyidea_pam.py does not ask for the otp).
I tried with python2.7 and python3.6. The result is the same.
Any hint?
Some “masqueraded” config files and debug log follows
~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth substack password-auth debug
auth optional pam_python.so /usr/lib/python2.7/site-packages/privacyidea_pam-2.11.dev0-py2.7.egg/privacyidea_pam.py cacerts=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem url=https://myPI debug=true realm=myRealm prompt="Insert OTP :"
sshd[16284]: debug3: PAM: sshpam_passwd_conv called with 1 messages
sshd[16284]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.X.X.X user=enrico
sshd[16284]: debug3: PAM: sshpam_passwd_conv called with 1 messages
sshd[16284]: offline check returned: False, None
sshd[16284]: Authenticating enrico against https://myPI
sshd[16284]: requests > 1.0
sshd[16284]: privacyidea_pam: result: {u'status': True, u'authentication': u'REJECT', u'value': False}
sshd[16284]: privacyidea_pam: detail: {u'message': u'wrong otp pin', u'threadid': 140481569601280}
sshd[16284]: debug1: PAM: password authentication accepted for enrico