Pam Module fails to authenticate against server?

Question
1

Hi,

i am trying to setup privacyidea to be our 2FA authenticator but am having
hard time with the pam setup.

Here is our setup:

  • privacyidea installed on a server it-2fa.ourdomain.de
  • it-2fa runs with ubu16 xenial
  • Privacyidea runs already through apache2 : https://it-2fa.ourdomain.de
  • for the authentication, i have krb5 doing it and LDAP as the resolver
  • as Example, i created a 2FA Token using a test user’s credentials
    ’it-user-x’ + PW which can be found in our ldap user DB. It was succesfully
    authenticated against the krb5 server.
  • the main point to this, is setting up privacyidea to accept OTP, or U2F
    or any available token for the second factor authentication after doing the
    first SSH authentication using PAM.

PROBLEM:

  • It seem to have a problem authenticating and i have no clue what the log
    is telling me.

Apr 4 16:30:59 it-2fa sshd[13778]: pam_krb5(sshd:auth): user it-user-x
authenticated as it-user-x@OURDOMAIN.DE
Apr 4 16:30:59 it-2fa sshd: Authenticating it-user-x against
https://it-2fa.ourdomain.de
Apr 4 16:30:59 16525 sshd: requests > 1.0
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: result: {u’status’: True,
u’value’: False}
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: detail: {u’message’: u’wrong
otp pin’, u’threadid’: 140130433734400}
Apr 4 16:30:59 it-2fa sshd[13778]: Failed password for it-user-x from
131.x.x.x port 51616 ssh2
Apr 4 16:31:30 it-2fa sshd[13778]: Connection closed by 131.x.x.x port
51616 [preauth]

my common-auth pam is as follow:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass

here’s the fallback if no module succeeds

auth requisite pam_deny.so

prime the stack with a positive return value if there isn’t one already;

this avoids us returning an error just because nothing sets a success code

since the modules above will each just jump around

auth required pam_python.so
/lib/security/privacyidea_pam.py url=https://it-2fa.ourdomain.de
nosslverify debug
auth required pam_permit.so

Could you please help me on this??

Best Regards,
Jojo

2

here is another log. It seems to see the serial of the token but does not
authenticate? When I try it on the Webgui OTP test button it authenticate
successfully.

Apr 5 12:37:08 it-2fa sshd: requests > 1.0
Apr 5 12:37:08 it-2fa sshd: privacyidea_pam: result: {u’status’: True,
u’value’: False}
Apr 5 12:37:08 it-2fa sshd: privacyidea_pam: detail: {u’message’: u’wrong
otp value’, u’type’: u’totp’, u’serial’: u’TOTP0001D001’, u’otplen’: 6,
u’threadid’: 140671260854016}
Apr 5 12:37:08 it-2fa sshd[4271]: error: PAM: Authentication failure for
admin2fa from 131.x.x.x
Apr 5 12:37:08 it-2fa sshd[4271]: Postponed keyboard-interactive for
admin2fa from 131.x.x.x port 56632 ssh2 [preauth]

3

Sorry for flooding, i got it working. I really forgot the PIN is also to be
typed! Before i set the PIN as ‘test’ and thats the reason for the failed
wrong OTP output in the logs. Now, i set no password and it works!

Another thing to be implemented is this scenario:

  • user-x has 2 tokens (totp and u2f)
  • the 2fa should be used when ssh-ing to a machine.
  • example: ssh user-x@machine.domain.de
  • the PAM plugin should be able to select what token is to be used after
    the 1st authentication. so the flow would be username+password -> select
    token to be used (since user has 2 tokens) -> authenticate using selected
    token -> session.

Is this possible with the PAM plugin??

Thanks so much in advance!

-Jojo

4

Hi,

ive check the OTP within the testOTP and it authenticate successfully (see
attached). Am I missing something?? Ive changed the line to:

auth requisite pam_python.so
/lib/security/privacyidea_pam.py url=https://it-2fa.ourdomain.de
nosslverify debug

yet still have the same error in the /var/log/auth.log :frowning:

Regards,
JojoOn Tuesday, April 4, 2017 at 4:52:04 PM UTC+2, iamo...@gmail.com wrote:

Hi,

i am trying to setup privacyidea to be our 2FA authenticator but am having
hard time with the pam setup.

Here is our setup:

  • privacyidea installed on a server it-2fa.ourdomain.de
  • it-2fa runs with ubu16 xenial
  • Privacyidea runs already through apache2 : https://it-2fa.ourdomain.de
  • for the authentication, i have krb5 doing it and LDAP as the resolver
  • as Example, i created a 2FA Token using a test user’s credentials
    ‘it-user-x’ + PW which can be found in our ldap user DB. It was succesfully
    authenticated against the krb5 server.
  • the main point to this, is setting up privacyidea to accept OTP, or U2F
    or any available token for the second factor authentication after doing the
    first SSH authentication using PAM.

PROBLEM:

  • It seem to have a problem authenticating and i have no clue what the log
    is telling me.

Apr 4 16:30:59 it-2fa sshd[13778]: pam_krb5(sshd:auth): user it-user-x
authenticated as it-user-x@OURDOMAIN.DE
Apr 4 16:30:59 it-2fa sshd: Authenticating it-user-x against
https://it-2fa.ourdomain.de
Apr 4 16:30:59 16525 sshd: requests > 1.0
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: result: {u’status’: True,
u’value’: False}
Apr 4 16:30:59 it-2fa sshd: privacyidea_pam: detail: {u’message’: u’wrong
otp pin’, u’threadid’: 140130433734400}
Apr 4 16:30:59 it-2fa sshd[13778]: Failed password for it-user-x from
131.x.x.x port 51616 ssh2
Apr 4 16:31:30 it-2fa sshd[13778]: Connection closed by 131.x.x.x port
51616 [preauth]

my common-auth pam is as follow:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass

here’s the fallback if no module succeeds

auth requisite pam_deny.so

prime the stack with a positive return value if there isn’t one already;

this avoids us returning an error just because nothing sets a success

code

since the modules above will each just jump around

auth required pam_python.so
/lib/security/privacyidea_pam.py url=https://it-2fa.ourdomain.de
nosslverify debug
auth required pam_permit.so

Could you please help me on this??

Best Regards,
Jojo

otptest.png899×988 67.8 KB

5

you can not use the U2F token with privacyIDEA to do a ssh login.

If the user has several tokens, like HOTP or TOTP, the user simple uses
one of his tokens, and privacyIDEA will realize, which one it was.Am Mittwoch, 5. April 2017 15:04:28 UTC+2 schrieb iamohtep@gmail.com:

Sorry for flooding, i got it working. I really forgot the PIN is also to
be typed! Before i set the PIN as ‘test’ and thats the reason for the
failed wrong OTP output in the logs. Now, i set no password and it works!

Another thing to be implemented is this scenario:

  • user-x has 2 tokens (totp and u2f)
  • the 2fa should be used when ssh-ing to a machine.
  • example: ssh user-x@machine.domain.de
  • the PAM plugin should be able to select what token is to be used after
    the 1st authentication. so the flow would be username+password → select
    token to be used (since user has 2 tokens) → authenticate using selected
    token → session.

Is this possible with the PAM plugin??

Thanks so much in advance!

-Jojo

6

It would be great if the PAM Plugin could also handle U2F token
authentications. In my case, there should be other tokens available aside
from TOTP/HOTP like U2F, eMail, or SMS. Ive tried two from the list (TOTP,
SMS) but it always prompt the first "Your OTP : ". It would be proper if
there would be a handling if there are multiple tokens for the
authenticating user. I think that would be the option corresponding to
challenge-response under the policy authentication. Additionally, is it
posible to auto-enroll a default token though settings/policy/event
handlers, lets say an email token, if the user authenticates against the
privacyidea server WebUI for the first time and has no tokens available?
The reason for this is that if the user’s PW gets compromised and be used
by the MITM to log into the privacyidea server using only
credentials/userstore accnt+PW then creates another token or changes
current tokens, then the whole 2FA Infrastructure or Security Flow of the
Organization will also be not that effective. I suppose it would also
really be beneficial if the privacyidea server itself has a 2FA mechanism
for user authentication using the WebUI.

Or do you have an implementation for this?

Best regards,
Jojo SantosOn Thursday, April 6, 2017 at 6:11:45 PM UTC+2, Cornelius Kölbel wrote:

you can not use the U2F token with privacyIDEA to do a ssh login.

If the user has several tokens, like HOTP or TOTP, the user simple
uses one of his tokens, and privacyIDEA will realize, which one it was.

Am Mittwoch, 5. April 2017 15:04:28 UTC+2 schrieb iamo...@gmail.com
<javascript:>:

Sorry for flooding, i got it working. I really forgot the PIN is also to
be typed! Before i set the PIN as ‘test’ and thats the reason for the
failed wrong OTP output in the logs. Now, i set no password and it works!

Another thing to be implemented is this scenario:

  • user-x has 2 tokens (totp and u2f)
  • the 2fa should be used when ssh-ing to a machine.
  • example: ssh use...@machine.domain.de <javascript:>
  • the PAM plugin should be able to select what token is to be used after
    the 1st authentication. so the flow would be username+password → select
    token to be used (since user has 2 tokens) → authenticate using selected
    token → session.

Is this possible with the PAM plugin??

Thanks so much in advance!

-Jojo

7

First of all, thanks and your Product has a lot of potential. With regards
to the prompting… Here what i mean is the the default prompt when you dont
have the parameter “prompt=any_prompt_you_want” in the PAM module. The
problem here is that it still prompts the default prompt (which is Your
OTP: ) eventhough i only have a SMS Token.

On the Terminal:
ssh 2fauser@2fa-server.domain.de
Password:
Warning: Your password will expire in 176 days on Sun Oct 1 00:59:58 2017
Your OTP:
Enter the OTP from the SMS:

after I press the Return Key/ Enter without typing anything after the “Your
OTP:”, that is the time the “Enter the OTP from the SMS” is prompted. This
part is a little

Here is my PAM config:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass
auth requisite pam_deny.so
auth requisite pam_python.so
/lib/security/privacyidea_pam.py url=https://2fa-server.domain.de
nosslverify debug
auth required pam_permit.so

tokens available and disabled- please see attached Photo

If the user has several tokens, like HOTP or TOTP, the user simple
uses one of his tokens, and privacyIDEA will realize, which one it was.

This is what I am talking about… If the user has many available tokens,
the Module should be able to provide a handling option as to what token
should be used. If for example, userx forgot his Handy but have 3 available
Tokens. He can choose to use 1 of those and authenticate using the chosen
token. This handling should be (in my opinion) provided upon the
authentication request againt the PI server.

Best regards,
Jojo

tokens.png778×208 14.9 KB

8

iamohtep@gmail.com writes:

to the prompting… Here what i mean is the the default prompt when you dont
have the parameter “prompt=any_prompt_you_want” in the PAM module. The
problem here is that it still prompts the default prompt (which is Your
OTP: ) eventhough i only have a SMS Token.

On the Terminal:
ssh 2fauser@2fa-server.domain.de
Password:

Is this from pam_krb5?

Warning: Your password will expire in 176 days on Sun Oct 1 00:59:58 2017
Your OTP:

This is a prompt I know from my FreeIPA installation for a kinit as a
user that has a token/radius authentication assigned on older systems.
My best guess is some confusion in the pam/sshd configuration. May be
you should only use privacyidea in your pam configuration?

SSH/PAM can be configured very flexible, but you need to think carefully
about the flow through the confiuration.

First, have a look at /etc/ssh/sshd_config and AuthenticationMethods
(see the manual for details). I have:

Match Group otpusers
AuthenticationMethods gssapi-with-mic publickey,keyboard-interactive:pam

There are two possible paths to authentication defined for OTP users:

  1. Iff the user has a valid kerberos ticket, access is granted. No OTP,
    no password.
  2. Otherwise we need an ssh-key and refer to pam for authentication
    (here: an OTP).

In my /etc/pam.d/ssh I have before @common-auth:

auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup otpusers
auth sufficient pam_yubico.so […]

So OTP users must provide their OTP. You can/will use privacyidea’s pam
module here, right?

I think you need to use pam/privacyidea instead of pam_krb5.

Jochen–
This space is intentionally left blank.

9

iamohtep@gmail.com writes:

It would be great if the PAM Plugin could also handle U2F token
authentications.

There is a (small) pam-u2f module from yubico:

Not integrated into privacyidea, but it might give a hint how that could
be implemented.

I suppose it would also
really be beneficial if the privacyidea server itself has a 2FA mechanism
for user authentication using the WebUI.

That’s already possible with a webui policy: set login_mode to
‘privacyIDEA’. I use that for my admin realm (but not with U2F tokens).

Jochen–
This space is intentionally left blank.

10

Hi Jochen,

unfortunately, the pam-u2f by yubico doesnt support remote ssh. It
functions local only… It does have a patch which enables this feature but
is not integrated in the newest release of openssh.

Ive already tried this and i think this would not be our solution unless
openssh integrates U2F Authentication in the service.

Best regards,
JojoOn Friday, April 7, 2017 at 6:23:23 AM UTC+2, Jochen Hein wrote:

@iamohtep writes:

It would be great if the PAM Plugin could also handle U2F token
authentications.

There is a (small) pam-u2f module from yubico:
GitHub - Yubico/pam-u2f: Pluggable Authentication Module (PAM) for U2F and FIDO2

Not integrated into privacyidea, but it might give a hint how that could
be implemented.

I suppose it would also
really be beneficial if the privacyidea server itself has a 2FA
mechanism
for user authentication using the WebUI.

That’s already possible with a webui policy: set login_mode to
‘privacyIDEA’. I use that for my admin realm (but not with U2F tokens).

Jochen


This space is intentionally left blank.

11

Oh! BTW, I your right its a little redundant. I actually have this since I
was using a test machine with already configured krb5 through sssd and left
it that way. I changed it to:

auth [success=3 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=ok default=1] pam_sss.so use_first_pass
auth [success=1 default=ignore] pam_python.so
/lib/security/privacyida_pam.py url=https://2fa-server.domain.de
nosslverify debug
auth required pam_deny.so
auth required pam_permit.so

first auth to handle local accounts, second to handle accounts in ldap/krb5
environment.On Saturday, April 8, 2017 at 7:19:00 AM UTC+2, Jochen Hein wrote:

iamo...@gmail.com <javascript:> writes:

Here is my PAM config:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass

I’d also suggest dropping pam_krb5 and using the kerberos provider from
sssd. Please see “man sssd-krb5” - you’ll get offline authentication
when your auth server is not available.

Jochen


This space is intentionally left blank.

12

Hi Jochen,

to the prompting… Here what i mean is the the default prompt when you
dont
have the parameter “prompt=any_prompt_you_want” in the PAM module. The
problem here is that it still prompts the default prompt (which is Your
OTP: ) eventhough i only have a SMS Token.

On the Terminal:
ssh 2fa...@2fa-server.domain.de <javascript:>
Password:

Is this from pam_krb5?

Warning: Your password will expire in 176 days on Sun Oct 1 00:59:58
2017

yes, up to this point but the “Your OTP:” does not belong to pam_krb5.so.
The warning message can actually be turned off using the pam_sss.so Module
with “pam_pwd_expiration_warning = N” in the sssd.conf file instead of
pam_krb5.so.

Your OTP:

This is a prompt I know from my FreeIPA installation for a kinit as a
user that has a token/radius authentication assigned on older systems.
My best guess is some confusion in the pam/sshd configuration. May be
you should only use privacyidea in your pam configuration?

SSH/PAM can be configured very flexible, but you need to think carefully
about the flow through the confiuration.

Match Group
AuthenticationMethods gssapi-with-mic
publickey,keyboard-interactive:pam

yes I also have this on my sshd_config but im forcing all users except root
to do keyboard-interactive:pam. This is to always let PAM handle the
authentication against kerberos even if the user has a krb5 ticket. In this
way, even if GSSAPIAuthentication is enabled, if the user is not root he
will still have to follow the PAM stack in this order:

1- authenticate with kerberos
2- if successful, do second authentication against the privacyidea server
3- if successful, create session for user

in my sshd_conf:

Match User !root Address 192.168.x.x
AuthenticationMethods keyboard-interactive:pam

There are two possible paths to authentication defined for OTP users:

  1. Iff the user has a valid kerberos ticket, access is granted. No OTP,
    no password.
  2. Otherwise we need an ssh-key and refer to pam for authentication
    (here: an OTP).

In my /etc/pam.d/ssh I have before @common-auth:

auth [default=1 success=ignore] pam_succeed_if.so quiet user ingroup
otpusers
auth sufficient pam_yubico.so […]

So OTP users must provide their OTP. You can/will use privacyidea’s pam
module here, right?

I think you need to use pam/privacyidea instead of pam_krb5.

Since i am using ldap as my userstore, i dont need to have an additional
group for the OTP users. Instead, i just use the privacyidea WebUI to let
users enroll/manage their token(s).

Ive been trying different configurations using the Event Handlers + Policy

  • pam_succeed_if to somehow provide and option for the ssh-user to chose
    which token to use if he has multiple tokens available just like a dropbox
    list of tokens to use if it were a webui-based login. Somewhat like what
    google does, but only in terminal? I’m not that well versed with python but
    ill try to look at the PI_pam.py and maybe come up with ideas.

Thanks for your help and ideas!

Sincerely,
Jojo

13

iamohtep@gmail.com writes:

Here is my PAM config:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
auth [success=2 default=ignore] pam_unix.so nullok_secure
try_first_pass
auth [success=1 default=ignore] pam_sss.so use_first_pass

I’d also suggest dropping pam_krb5 and using the kerberos provider from
sssd. Please see “man sssd-krb5” - you’ll get offline authentication
when your auth server is not available.

Jochen–
This space is intentionally left blank.