Installation on Centos6


I have 2 centos6 servers that I would like to install the pam module on. I was able to build the pam module. However I do not see the pam-python module being used during authentication.

my pam conf below:

auth requisite /lib/security/ /lib/security/ url=https://myotp.domain nosslverify debug
auth requisite
auth required
auth optional

This is included in the sshd pam conf
Since I also use LDAP for auth, i tried adding it just after, and also just before. When its added before, I do get an error with invalid PIN, but I never get the PIN prompt.

Are there any centos6 specific guides ?

Just look into the corresponding log file. I am not sure, how it is called on centos. Might be /var/log/auth.log.
The contents there is rather self explanatory.

If you can not make it out, please post the contents here.
You might also add some more information, what you are actually trying to achieve.

So just to be sure that the pam module is being loaded, i intentionally changed the path of the file to a non existent one and I see the error in /var/log/secure about the bad file path.

However when I change it back to what it should be, I don’t get the otp prompt and I cannot login.

The sshd pam config file is as follows:

auth       required
#auth       include      ssh-password-auth
#auth       include     auth-otp
auth       requisite    /lib/security/ /lib/security/ url= nosslverify debug prompt=PIN
auth       include      password-auth
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    optional force revoke
session    include      system-auth
session    include      password-auth

The password-auth file is as follows:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3 type=
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     optional skel=/etc/skel umask=0022
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
session     optional

I have the debug flag in the otp pam config line. However I do not see any debug information being passed to troubleshoot. I just get password incorrect.

You really should post some /var/log/secure here!

Some hints to analyze your problem:

  1. Do you see a login prompt “PIN”? This would be the login prompt you specified in the line with If you do not see it, your pam stack for some reason does not touch the privacyidea module.

  2. What do you see in the /var/log/secure?

  3. Does any request arrive at your privacyIDEA system? Check the audit log!

My recommendation is to not change the basic structure of pam.d/sshd. I would NOT ADD a line with privacyidea_pam! I rather would

  • create a copy of the file password-auth and name it like privacyidea-auth.
  • then I would changte the line in sshd fomr
    “auth include password-auth” to “auth include privacyidea-auth”.
  • In privacyidea-auth (being a copy of password-auth) I would change the line
    “auth sufficient nullok try_first_pass” to a line with privacyidea_pam or add such line there.

Do you habe “UsePAM yes” in your /etc/ssh/sshd_config?
Does “password+OTP” at the password prompt work?
Do you have “ChallengeResponseAuthentication yes” in your /etc/ssh/sshd_config?
Shouldn’t you have something like:

auth [success=1 default=ignore] /lib/security/ /lib/security/ url=https://myotp.domain nosslverify debug
auth requisite

Otherwise you’d need to succeed in - which is impossible…