Hello!
I have 2 centos6 servers that I would like to install the pam module on. I was able to build the pam module. However I do not see the pam-python module being used during authentication.
my pam conf below:
auth requisite /lib/security/pam_python.so /lib/security/privacyidea_pam.py url=https://myotp.domain nosslverify debug
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
This is included in the sshd pam conf
Since I also use LDAP for auth, i tried adding it just after, and also just before. When its added before, I do get an error with invalid PIN, but I never get the PIN prompt.
Are there any centos6 specific guides ?
Just look into the corresponding log file. I am not sure, how it is called on centos. Might be /var/log/auth.log.
The contents there is rather self explanatory.
If you can not make it out, please post the contents here.
You might also add some more information, what you are actually trying to achieve.
So just to be sure that the pam module is being loaded, i intentionally changed the path of the privacyidea-pam.py file to a non existent one and I see the error in /var/log/secure about the bad file path.
However when I change it back to what it should be, I don’t get the otp prompt and I cannot login.
The sshd pam config file is as follows:
#%PAM-1.0
auth required pam_sepermit.so
#auth include ssh-password-auth
#auth include auth-otp
auth requisite /lib/security/pam_python.so /lib/security/privacyidea_pam.py url=https://otp.mavericklabel.com nosslverify debug prompt=PIN
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include system-auth
session include password-auth
The password-auth file is as follows:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
I have the debug flag in the otp pam config line. However I do not see any debug information being passed to troubleshoot. I just get password incorrect.
You really should post some /var/log/secure
here!
Some hints to analyze your problem:
-
Do you see a login prompt “PIN”? This would be the login prompt you specified in the line with privacyidea_pam.py. If you do not see it, your pam stack for some reason does not touch the privacyidea module.
-
What do you see in the /var/log/secure?
-
Does any request arrive at your privacyIDEA system? Check the audit log!
My recommendation is to not change the basic structure of pam.d/sshd
. I would NOT ADD a line with privacyidea_pam! I rather would
- create a copy of the file
password-auth
and name it like privacyidea-auth
.
- then I would changte the line in
sshd
fomr
“auth include password-auth” to “auth include privacyidea-auth”.
- In
privacyidea-auth
(being a copy of password-auth) I would change the line
“auth sufficient pam_unix.so nullok try_first_pass” to a line with privacyidea_pam or add such line there.
Do you habe “UsePAM yes” in your /etc/ssh/sshd_config?
Does “password+OTP” at the password prompt work?
Do you have “ChallengeResponseAuthentication yes” in your /etc/ssh/sshd_config?
Shouldn’t you have something like:
auth [success=1 default=ignore] /lib/security/pam_python.so /lib/security/privacyidea_pam.py url=https://myotp.domain nosslverify debug
auth requisite pam_deny.so
Otherwise you’d need to succeed in pam_deny.so - which is impossible…