PrivacyIdea SSH authentication with LDAP Resolver

Hi ! I have a privacy idea server configured on my ubuntu 14.04. I have a
little issue with SSH :

–> I can authenticate via SSH successfully when the username passed (when
doing ssh user@localhost) is in /etc/passwd.

Now, I configured a LDAP resolver, who seems to be well-configured because
it retrieves my users stored in.

But, when I tried to do ssh ldapUser@localhost, it fails and in the audit
of the webUI of PI, I have “wrong otp pin” and however I checked that the
token is working.

So does the PAM module works with any resolver or JUST with /etc/passwd
(unix users) ?

Thanks in advance,

Kind regards,

Karim

Hi Karim,

No, it works with all kinds of user stores.
But you need to be aware, that the user also needs to be available on
the system, where you are authenticating.

You are jumping into a complex scenario which contains several possible
source for errors.
Always approach a scenario step by step, to reduce the possible error
source in each step.

In your case, the OTP PIN is wrong.

So first you need to assure, that you in fact can authenticate with the
token and with the user.
(Without any PAM-stuff)

Kind regards
CorneliusAm Montag, den 06.07.2015, 02:18 -0700 schrieb CK:

Hi ! I have a privacy idea server configured on my ubuntu 14.04. I
have a little issue with SSH :

–> I can authenticate via SSH successfully when the username passed
(when doing ssh user@localhost) is in /etc/passwd.

Now, I configured a LDAP resolver, who seems to be well-configured
because it retrieves my users stored in.

But, when I tried to do ssh ldapUser@localhost, it fails and in the
audit of the webUI of PI, I have “wrong otp pin” and however I checked
that the token is working.

So does the PAM module works with any resolver or JUST
with /etc/passwd (unix users) ?

Thanks in advance,

Kind regards,

Karim

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/3281f7c7-6391-4d78-93dc-43b455b9d3be%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (819 Bytes)

Hi Cornelius ! It’s okay, I’ve resolved my issue, and now I can
authenticate on ssh via the ldap resolver :wink:
I had to configure the nsswitch.conf and it works well now !

Kind regards,

KarimLe lundi 6 juillet 2015 11:18:11 UTC+2, CK a écrit :

Hi ! I have a privacy idea server configured on my ubuntu 14.04. I have a
little issue with SSH :

–> I can authenticate via SSH successfully when the username passed (when
doing ssh user@localhost) is in /etc/passwd.

Now, I configured a LDAP resolver, who seems to be well-configured because
it retrieves my users stored in.

But, when I tried to do ssh ldapUser@localhost, it fails and in the audit
of the webUI of PI, I have “wrong otp pin” and however I checked that the
token is working.

So does the PAM module works with any resolver or JUST with /etc/passwd
(unix users) ?

Thanks in advance,

Kind regards,

Karim