Hi Keef,
Hi Again,
Yesterday I decided to try switching OS from Centos to Ubuntu to see
If I could get Freeradius / PrivacyIDEA Perl Module to work on a
different OS and it does !!!
We had a similar issue getting the PrivacyIDEA Server/App to work on
Centos and ended up swtiching to Ubuntu so I can’t see us switching
back to Centos alteast for anything PrivacyIDEA related.
There are a few issue that I need to sort out but so far I have
managed to get one of our Centos servers to authenticate using a htop
token !!! :>)
The two issues that are left are as follows, if you think we should
raise these seperatly then just say.
- We get the following error in the output from “radiusd -X” and am
not sure if it’s a real issue or not but I couldn’t find any
documentation about it as I am not sure where to look. ?
rlm_perl: ERROR: Failed to create pair privacyIDEA-Serial =
OATH000XXXXXX
You need to add additional RADIUS Value Pairs.
Create a file /etc/[radiusd|freeradius]/dictionary.netknights
with the following content:
–snip–
VENDOR NetKnights 44929
Backwards compatibility.
BEGIN-VENDOR NetKnights
ATTRIBUTE privacyIDEA-Serial 1 string
ATTRIBUTE privacyIDEA-Realm 2 string
ATTRIBUTE privacyIDEA-Resolver 3 string
END-VENDOR NetKnights
–snap–
In your dictionary file do
$INCLUDE dictionary.netknights
- The second issus is that we want to use TFA to log into our servers
through a web remote desktop gateway called guacamole
(http://guac-dev.org/). As we’ve got SSH Radius authentication working
we’re now trying to get a SSH Terminal through
guacamole to a server but the login process is hanging and we’re not
sure why. Below is output of /var/log/messages from the server that we
were trying to log into. It seems like the problem is that it’s trying
to log in twice which breaked the otp policy we think.
Jan 14 11:23:01 Xserver sshd[9084]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned -1475868288.
Jan 14 11:23:02 Xserver sshd[9084]: Accepted password for keith from
192.168.XX.6 port 33244 ssh2
Jan 14 11:23:02 Xserver sshd[9084]: pam_unix(sshd:session): session
opened for user keith by (uid=0)
Jan 14 11:23:07 Xserver sshd[9088]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1080871296.
Jan 14 11:23:08 Xserver unix_chkpwd[9090]: password check failed for
user (keith)
Jan 14 11:23:08 Xserver sshd[9088]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=guacamole.XXXXXXXXXXXXXXXXXXXX user=keith
Jan 14 11:23:11 Xserver sshd[9088]: Failed password for keith from
192.168.XX.6 port 33245 ssh2
Jan 14 11:23:11 Xserver sshd[9089]: Connection closed by 192.168.XX.6
This does not sound good.
I heard this from another Remote-X-Server Vendor, that authentication
checks the password twice for some reason. (Design flaw?)
So at the moment there is no easy solution to this.
Way to go would be:
Dig into the guacamole (hm, yummy) and see and understand why this
happens. (maybe there could be some PAM voodoo)
At this point I can not tell anything more…
This is an old discussion, but I really do not like to break the sense
to one time passwords and allow a one time password to be used twice.
Kind regards
CorneliusAm Donnerstag, den 14.01.2016, 06:27 -0800 schrieb Keef:
Thanks for all your help.
Keith
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9e85a3eb-7a8c-48aa-b65e-97ebc754aa52%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)