Problem in setting up opt in SSH login

Dear all

I’m trying to set up privacyidea otp authentication in SSH login.
The problem is pam setting:

  1. If I just paste below code in pam.d/sshd and mask include common-auth,
    it will not work.
    #@include common-auth
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication

  2. If I use below setting in common-auth, it works, but it will also check
    user password.
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    auth sufficient pam_unix.so nullok_secure

auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

  1. If I mask line two or exchange the order of line one and line two, it
    will not work.
    ------------------------ not work ---------------------------------
    auth sufficient pam_unix.so nullok_secure
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    ------------------------ not work ---------------------------------
    auth [success=1 default=ignore] pam_python.so
    /lib/security/privacyidea_pam.py url=https://172.16.8.75
    prompt=privacyIDEA_Authentication
    auth sufficient pam_unix.so nullok_secure
    ------------------------ not work ---------------------------------
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    #auth sufficient pam_unix.so nullok_secure

Does anybody can tell me what is the correct setting if I only want to use
otp authentication. Not include password checking.

Harvey

Hello Harvey,

usually I create a copy of common-auth

cp /etc/pam.d/common-auth /etc/pam.d/otp-auth

Then I replace the pam_unix line with the privacyIDEA line…

Check in the /var/log/secure log to tell us more then “it will not
work” :wink:

(Probably it is your SSL certificate and the missing hostname)

Kind regards
CorneliusAm Donnerstag, den 23.06.2016, 23:44 -0700 schrieb Harvey Chang:

Dear all

I’m trying to set up privacyidea otp authentication in SSH login.
The problem is pam setting:

  1. If I just paste below code in pam.d/sshd and mask include
    common-auth, it will not work.
    #@include common-auth
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication

  2. If I use below setting in common-auth, it works, but it will also
    check user password.
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    auth sufficient pam_unix.so nullok_secure

auth requisite pam_deny.so

auth required pam_permit.so

auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

  1. If I mask line two or exchange the order of line one and line two,
    it will not work.
    ------------------------ not work ---------------------------------
    auth sufficient pam_unix.so nullok_secure

auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication

------------------------ not work ---------------------------------

auth [success=1 default=ignore]
pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication
auth sufficient pam_unix.so nullok_secure
------------------------ not work ---------------------------------
auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication
#auth sufficient pam_unix.so nullok_secure

Does anybody can tell me what is the correct setting if I only want to
use otp authentication. Not include password checking.

Harvey


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/363273ac-c3ab-4696-ab1c-04b7562873f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Harvey,
you have a problem with your SSL certificate.
The SSH server needs to trust the privacyIDEA’s certificate.

You can see this in the log (SSLError) and the return of
privacyidea-authorizedkeys is not ok! It should only output the keys.
Not the error message.

As a temporary TESTING!!! solution you can use nosslcheck=True.

Please read:
http://privacyidea.readthedocs.io/en/latest/machines/index.html?highlight=privacyidea-authorizedkeys#ssh

Kind regards
CorneliusAm Freitag, den 01.07.2016, 00:31 -0700 schrieb Harvey Chang:

Hi Cornelius

Thanks for your reply. I found I have not succeeded till now. Below is
the log.
Not really know what happen on it.


Jul 1 15:24:22 raspberrypi sshd: Traceback (most recent call
last):#012 File “”
/lib/security/privacyidea_pam.py", line 274, in
pam_sm_authenticate#012 rval
= Auth.authenticate(pamh.authtok)#012 File
“/lib/security/privacyidea_pam.py”,
line 111, in authenticate#012 json_response =
self.make_request(data)#012 Fii
le “/lib/security/privacyidea_pam.py”, line 85, in make_request#012
verify=see
lf.sslverify)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, linee
94, in post#012 return request(‘post’, url, data=data, json=json,
**kwargs)##
012 File “/usr/lib/python2.7/dist-packages/requests/api.py”, line 49,
in requess
t#012 return session.request(method=method, url=url, **kwargs)#012
File “/uss
r/lib/python2.7/dist-packages/requests/sessions.py”, line 457, in
request#012
resp = self.send(prep, **send_kwargs)#012 File
“/usr/lib/python2.7/dist-packagg
es/requests/sessions.py”, line 569, in send#012 r =
adapter.send(request, **kk
wargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/adapters.py”, line 44
20, in send#012 raise SSLError(e, request=request)#012SSLError:

Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
Traceback (mm
ost recent call last):
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
File “/libb
/security/privacyidea_pam.py”, line 288, in pam_sm_authenticate
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
syslog.ss
yslog(syslog.LOG_ERR, “%s: %s” % (name, exx))
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
TypeError: __
str_ returned non-string (type Error)
Jul 1 15:24:29 raspberrypi sshd[2389]: Accepted
keyboard-interactive/pam for pii
from 172.16.8.42 port 48571 ssh2
Jul 1 15:24:29 raspberrypi sshd[2389]: pam_unix(sshd:session):
session opened ff
or user pi by (uid=0)
Jul 1 15:24:29 raspberrypi systemd-logind[548]: New session c5 of
user pi.
Jul 1 15:24:32 raspberrypi sshd[2412]: Received disconnect from
172.16.8.42: 111
: disconnected by user
Jul 1 15:24:32 raspberrypi sshd[2389]: pam_unix(sshd:session):
session closed ff
or user pi
Jul 1 15:24:32 raspberrypi systemd-logind[548]: Removed session c5.

I already test privacyidea-authorizedkeys command is workable.

root@raspberrypi:/etc/pam.d# privacyidea-authorizedkeys pi
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning
will only appear once by default.)
InsecureRequestWarning)
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQC/lZw1Abgxz8/TF8StOLfl/5rXZuSYilOJ7YdrGZO225wmSsdH/vAk7QRblgEtT0AIOiBnRGeVko4YWvc2xjM1iOTHtU+qyJhz59fCQdYxLTVLUg9yKD7f/CPDDss/px8ek/vNjBPPSRNursB9p8PvRz5B/0+9X+JR40UM3ZfDlOXZp5WahjjC47ioa/p/wH8/mXNhWf8UW0t+s4nsUghJ9Tp8JchyKZu7jIAgD1Y/XOZYEzN9D1msbjTC9MPYzw6xpg0VOtI0CrMb0SG65Y1yDvGMu4Fa9YiAuAKPHe5y26M2OoqJILn1UV2uRS3CXO/VH1TfGbI8VmM5v+kAP24b9MxkCo2aBb8+y9SpcPa82SaXTXEQlYmbLQgEvpftd3GLC7ABuEYIAegSbQPvxa1loJe+QH3KlLXgAL3qvqghwbssCpIc6nckhDRK5rcApNxTTS+yiDEsO41J51Ihb30dyuaQ1TskTpbsqDe0PDhSpg/+IkySBqg8/UI2KpaqOQXZZkERHKYXr8gfl/byS2yZ5OC6iVD9i7LVmd6KcIs7fOiX5FYJoPlYneY0jgOoH2X/65C72mCvgtf5PNU56linmstD++1NA0vmiBVaxrNdB61bnLmWkxfgYRtB6/FdphsiPfWRE+mvgAxWnGrqnMVV+QSMaZa+6IJZ0VDf3/CjLw== harvey-chang@harveychang-VirtualBox


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/0d5cb25c-53d6-4670-aa9f-3637667b34fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius

Thanks for your reply. I found I have not succeeded till now. Below is the
log.
Not really know what happen on it.----------------------------------------------------------------------------------------------------------------------
Jul 1 15:24:22 raspberrypi sshd: Traceback (most recent call last):#012
File “”
/lib/security/privacyidea_pam.py", line 274, in pam_sm_authenticate#012
rval
= Auth.authenticate(pamh.authtok)#012 File
"/lib/security/privacyidea_pam.py",
line 111, in authenticate#012 json_response =
self.make_request(data)#012 Fii
le “/lib/security/privacyidea_pam.py”, line 85, in make_request#012
verify=see
lf.sslverify)#012 File “/usr/lib/python2.7/dist-packages/requests/api.py”,
linee
94, in post#012 return request(‘post’, url, data=data, json=json,
**kwargs)##
012 File “/usr/lib/python2.7/dist-packages/requests/api.py”, line 49, in
requess
t#012 return session.request(method=method, url=url, **kwargs)#012 File
"/uss
r/lib/python2.7/dist-packages/requests/sessions.py", line 457, in
request#012
resp = self.send(prep, **send_kwargs)#012 File
"/usr/lib/python2.7/dist-packagg
es/requests/sessions.py", line 569, in send#012 r =
adapter.send(request, **kk
wargs)#012 File “/usr/lib/python2.7/dist-packages/requests/adapters.py”,
line 44
20, in send#012 raise SSLError(e, request=request)#012SSLError:

Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
Traceback (mm
ost recent call last):
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]: File
"/libb
/security/privacyidea_pam.py", line 288, in pam_sm_authenticate
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
syslog.ss
yslog(syslog.LOG_ERR, “%s: %s” % (name, exx))
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
TypeError: __
str_ returned non-string (type Error)
Jul 1 15:24:29 raspberrypi sshd[2389]: Accepted keyboard-interactive/pam
for pii
from 172.16.8.42 port 48571 ssh2
Jul 1 15:24:29 raspberrypi sshd[2389]: pam_unix(sshd:session): session
opened ff
or user pi by (uid=0)
Jul 1 15:24:29 raspberrypi systemd-logind[548]: New session c5 of user pi.
Jul 1 15:24:32 raspberrypi sshd[2412]: Received disconnect from
172.16.8.42: 111
: disconnected by user
Jul 1 15:24:32 raspberrypi sshd[2389]: pam_unix(sshd:session): session
closed ff
or user pi
Jul 1 15:24:32 raspberrypi systemd-logind[548]: Removed session c5.

I already test privacyidea-authorizedkeys command is workable.

root@raspberrypi:/etc/pam.d# privacyidea-authorizedkeys pi
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning will
only appear once by default.)
InsecureRequestWarning)
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQC/lZw1Abgxz8/TF8StOLfl/5rXZuSYilOJ7YdrGZO225wmSsdH/vAk7QRblgEtT0AIOiBnRGeVko4YWvc2xjM1iOTHtU+qyJhz59fCQdYxLTVLUg9yKD7f/CPDDss/px8ek/vNjBPPSRNursB9p8PvRz5B/0+9X+JR40UM3ZfDlOXZp5WahjjC47ioa/p/wH8/mXNhWf8UW0t+s4nsUghJ9Tp8JchyKZu7jIAgD1Y/XOZYEzN9D1msbjTC9MPYzw6xpg0VOtI0CrMb0SG65Y1yDvGMu4Fa9YiAuAKPHe5y26M2OoqJILn1UV2uRS3CXO/VH1TfGbI8VmM5v+kAP24b9MxkCo2aBb8+y9SpcPa82SaXTXEQlYmbLQgEvpftd3GLC7ABuEYIAegSbQPvxa1loJe+QH3KlLXgAL3qvqghwbssCpIc6nckhDRK5rcApNxTTS+yiDEsO41J51Ihb30dyuaQ1TskTpbsqDe0PDhSpg/+IkySBqg8/UI2KpaqOQXZZkERHKYXr8gfl/byS2yZ5OC6iVD9i7LVmd6KcIs7fOiX5FYJoPlYneY0jgOoH2X/65C72mCvgtf5PNU56linmstD++1NA0vmiBVaxrNdB61bnLmWkxfgYRtB6/FdphsiPfWRE+mvgAxWnGrqnMVV+QSMaZa+6IJZ0VDf3/CjLw==
harvey-chang@harveychang-VirtualBox