Installation on Centos6

pramsky · May 5, 2018, 7:24pm

Hello!

I have 2 centos6 servers that I would like to install the pam module on. I was able to build the pam module. However I do not see the pam-python module being used during authentication.

my pam conf below:

auth requisite /lib/security/pam_python.so /lib/security/privacyidea_pam.py url=https://myotp.domain nosslverify debug
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

This is included in the sshd pam conf
Since I also use LDAP for auth, i tried adding it just after, and also just before. When its added before, I do get an error with invalid PIN, but I never get the PIN prompt.

Are there any centos6 specific guides ?

cornelinux · May 6, 2018, 3:17pm

Just look into the corresponding log file. I am not sure, how it is called on centos. Might be /var/log/auth.log.
The contents there is rather self explanatory.

If you can not make it out, please post the contents here.
You might also add some more information, what you are actually trying to achieve.

pramsky · May 6, 2018, 5:05pm

So just to be sure that the pam module is being loaded, i intentionally changed the path of the privacyidea-pam.py file to a non existent one and I see the error in /var/log/secure about the bad file path.

However when I change it back to what it should be, I don’t get the otp prompt and I cannot login.

The sshd pam config file is as follows:

#%PAM-1.0
auth       required     pam_sepermit.so
#auth       include      ssh-password-auth
#auth       include     auth-otp
auth       requisite    /lib/security/pam_python.so /lib/security/privacyidea_pam.py url=https://otp.mavericklabel.com nosslverify debug prompt=PIN
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      password-auth

The password-auth file is as follows:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0022
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

I have the debug flag in the otp pam config line. However I do not see any debug information being passed to troubleshoot. I just get password incorrect.

cornelinux · May 6, 2018, 7:18pm

You really should post some /var/log/secure here!

Some hints to analyze your problem:

Do you see a login prompt “PIN”? This would be the login prompt you specified in the line with privacyidea_pam.py. If you do not see it, your pam stack for some reason does not touch the privacyidea module.
What do you see in the /var/log/secure?
Does any request arrive at your privacyIDEA system? Check the audit log!

My recommendation is to not change the basic structure of pam.d/sshd. I would NOT ADD a line with privacyidea_pam! I rather would

create a copy of the file password-auth and name it like privacyidea-auth.
then I would changte the line in sshd fomr
“auth include password-auth” to “auth include privacyidea-auth”.
In privacyidea-auth (being a copy of password-auth) I would change the line
“auth sufficient pam_unix.so nullok try_first_pass” to a line with privacyidea_pam or add such line there.

Jochen_Hein · May 7, 2018, 8:07pm

Do you habe “UsePAM yes” in your /etc/ssh/sshd_config?
Does “password+OTP” at the password prompt work?
Do you have “ChallengeResponseAuthentication yes” in your /etc/ssh/sshd_config?
Shouldn’t you have something like:

auth [success=1 default=ignore] /lib/security/pam_python.so /lib/security/privacyidea_pam.py url=https://myotp.domain nosslverify debug
auth requisite pam_deny.so

Otherwise you’d need to succeed in pam_deny.so - which is impossible…