Problem in setting up opt in SSH login

Dear all

I’m trying to set up privacyidea otp authentication in SSH login.
The problem is pam setting:

  1. If I just paste below code in pam.d/sshd and mask include common-auth,
    it will not work.
    #@include common-auth
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication

  2. If I use below setting in common-auth, it works, but it will also check
    user password.
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    auth sufficient pam_unix.so nullok_secure

auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

  1. If I mask line two or exchange the order of line one and line two, it
    will not work.
    ------------------------ not work ---------------------------------
    auth sufficient pam_unix.so nullok_secure
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    ------------------------ not work ---------------------------------
    auth [success=1 default=ignore] pam_python.so
    /lib/security/privacyidea_pam.py url=https://172.16.8.75
    prompt=privacyIDEA_Authentication
    auth sufficient pam_unix.so nullok_secure
    ------------------------ not work ---------------------------------
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    #auth sufficient pam_unix.so nullok_secure

Does anybody can tell me what is the correct setting if I only want to use
otp authentication. Not include password checking.

Harvey

Hello Harvey,

usually I create a copy of common-auth

cp /etc/pam.d/common-auth /etc/pam.d/otp-auth

Then I replace the pam_unix line with the privacyIDEA line…

Check in the /var/log/secure log to tell us more then “it will not
work” :wink:

(Probably it is your SSL certificate and the missing hostname)

Kind regards
CorneliusAm Donnerstag, den 23.06.2016, 23:44 -0700 schrieb Harvey Chang:

Dear all

I’m trying to set up privacyidea otp authentication in SSH login.
The problem is pam setting:

  1. If I just paste below code in pam.d/sshd and mask include
    common-auth, it will not work.
    #@include common-auth
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication

  2. If I use below setting in common-auth, it works, but it will also
    check user password.
    auth sufficient pam_python.so /lib/security/privacyidea_pam.py
    url=https://172.16.8.75 prompt=privacyIDEA_Authentication
    auth sufficient pam_unix.so nullok_secure

auth requisite pam_deny.so

auth required pam_permit.so

auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so

  1. If I mask line two or exchange the order of line one and line two,
    it will not work.
    ------------------------ not work ---------------------------------
    auth sufficient pam_unix.so nullok_secure

auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication

------------------------ not work ---------------------------------

auth [success=1 default=ignore]
pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication
auth sufficient pam_unix.so nullok_secure
------------------------ not work ---------------------------------
auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication
#auth sufficient pam_unix.so nullok_secure

Does anybody can tell me what is the correct setting if I only want to
use otp authentication. Not include password checking.

Harvey


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/363273ac-c3ab-4696-ab1c-04b7562873f6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Harvey,
you have a problem with your SSL certificate.
The SSH server needs to trust the privacyIDEA’s certificate.

You can see this in the log (SSLError) and the return of
privacyidea-authorizedkeys is not ok! It should only output the keys.
Not the error message.

As a temporary TESTING!!! solution you can use nosslcheck=True.

Please read:
http://privacyidea.readthedocs.io/en/latest/machines/index.html?highlight=privacyidea-authorizedkeys#ssh

Kind regards
CorneliusAm Freitag, den 01.07.2016, 00:31 -0700 schrieb Harvey Chang:

Hi Cornelius

Thanks for your reply. I found I have not succeeded till now. Below is
the log.
Not really know what happen on it.


Jul 1 15:24:22 raspberrypi sshd: Traceback (most recent call
last):#012 File “”
/lib/security/privacyidea_pam.py", line 274, in
pam_sm_authenticate#012 rval
= Auth.authenticate(pamh.authtok)#012 File
“/lib/security/privacyidea_pam.py”,
line 111, in authenticate#012 json_response =
self.make_request(data)#012 Fii
le “/lib/security/privacyidea_pam.py”, line 85, in make_request#012
verify=see
lf.sslverify)#012 File
“/usr/lib/python2.7/dist-packages/requests/api.py”, linee
94, in post#012 return request(‘post’, url, data=data, json=json,
**kwargs)##
012 File “/usr/lib/python2.7/dist-packages/requests/api.py”, line 49,
in requess
t#012 return session.request(method=method, url=url, **kwargs)#012
File “/uss
r/lib/python2.7/dist-packages/requests/sessions.py”, line 457, in
request#012
resp = self.send(prep, **send_kwargs)#012 File
“/usr/lib/python2.7/dist-packagg
es/requests/sessions.py”, line 569, in send#012 r =
adapter.send(request, **kk
wargs)#012 File
“/usr/lib/python2.7/dist-packages/requests/adapters.py”, line 44
20, in send#012 raise SSLError(e, request=request)#012SSLError:

Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
Traceback (mm
ost recent call last):
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
File “/libb
/security/privacyidea_pam.py”, line 288, in pam_sm_authenticate
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
syslog.ss
yslog(syslog.LOG_ERR, “%s: %s” % (name, exx))
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
TypeError: __
str_ returned non-string (type Error)
Jul 1 15:24:29 raspberrypi sshd[2389]: Accepted
keyboard-interactive/pam for pii
from 172.16.8.42 port 48571 ssh2
Jul 1 15:24:29 raspberrypi sshd[2389]: pam_unix(sshd:session):
session opened ff
or user pi by (uid=0)
Jul 1 15:24:29 raspberrypi systemd-logind[548]: New session c5 of
user pi.
Jul 1 15:24:32 raspberrypi sshd[2412]: Received disconnect from
172.16.8.42: 111
: disconnected by user
Jul 1 15:24:32 raspberrypi sshd[2389]: pam_unix(sshd:session):
session closed ff
or user pi
Jul 1 15:24:32 raspberrypi systemd-logind[548]: Removed session c5.

I already test privacyidea-authorizedkeys command is workable.

root@raspberrypi:/etc/pam.d# privacyidea-authorizedkeys pi
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
Advanced Usage - urllib3 2.1.0 documentation (This warning
will only appear once by default.)
InsecureRequestWarning)
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQC/lZw1Abgxz8/TF8StOLfl/5rXZuSYilOJ7YdrGZO225wmSsdH/vAk7QRblgEtT0AIOiBnRGeVko4YWvc2xjM1iOTHtU+qyJhz59fCQdYxLTVLUg9yKD7f/CPDDss/px8ek/vNjBPPSRNursB9p8PvRz5B/0+9X+JR40UM3ZfDlOXZp5WahjjC47ioa/p/wH8/mXNhWf8UW0t+s4nsUghJ9Tp8JchyKZu7jIAgD1Y/XOZYEzN9D1msbjTC9MPYzw6xpg0VOtI0CrMb0SG65Y1yDvGMu4Fa9YiAuAKPHe5y26M2OoqJILn1UV2uRS3CXO/VH1TfGbI8VmM5v+kAP24b9MxkCo2aBb8+y9SpcPa82SaXTXEQlYmbLQgEvpftd3GLC7ABuEYIAegSbQPvxa1loJe+QH3KlLXgAL3qvqghwbssCpIc6nckhDRK5rcApNxTTS+yiDEsO41J51Ihb30dyuaQ1TskTpbsqDe0PDhSpg/+IkySBqg8/UI2KpaqOQXZZkERHKYXr8gfl/byS2yZ5OC6iVD9i7LVmd6KcIs7fOiX5FYJoPlYneY0jgOoH2X/65C72mCvgtf5PNU56linmstD++1NA0vmiBVaxrNdB61bnLmWkxfgYRtB6/FdphsiPfWRE+mvgAxWnGrqnMVV+QSMaZa+6IJZ0VDf3/CjLw== harvey-chang@harveychang-VirtualBox


Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/0d5cb25c-53d6-4670-aa9f-3637667b34fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Cornelius

Thanks for your reply. I found I have not succeeded till now. Below is the
log.
Not really know what happen on it.----------------------------------------------------------------------------------------------------------------------
Jul 1 15:24:22 raspberrypi sshd: Traceback (most recent call last):#012
File “”
/lib/security/privacyidea_pam.py", line 274, in pam_sm_authenticate#012
rval
= Auth.authenticate(pamh.authtok)#012 File
"/lib/security/privacyidea_pam.py",
line 111, in authenticate#012 json_response =
self.make_request(data)#012 Fii
le “/lib/security/privacyidea_pam.py”, line 85, in make_request#012
verify=see
lf.sslverify)#012 File “/usr/lib/python2.7/dist-packages/requests/api.py”,
linee
94, in post#012 return request(‘post’, url, data=data, json=json,
**kwargs)##
012 File “/usr/lib/python2.7/dist-packages/requests/api.py”, line 49, in
requess
t#012 return session.request(method=method, url=url, **kwargs)#012 File
"/uss
r/lib/python2.7/dist-packages/requests/sessions.py", line 457, in
request#012
resp = self.send(prep, **send_kwargs)#012 File
"/usr/lib/python2.7/dist-packagg
es/requests/sessions.py", line 569, in send#012 r =
adapter.send(request, **kk
wargs)#012 File “/usr/lib/python2.7/dist-packages/requests/adapters.py”,
line 44
20, in send#012 raise SSLError(e, request=request)#012SSLError:

Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
Traceback (mm
ost recent call last):
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]: File
"/libb
/security/privacyidea_pam.py", line 288, in pam_sm_authenticate
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
syslog.ss
yslog(syslog.LOG_ERR, “%s: %s” % (name, exx))
Jul 1 15:24:22 raspberrypi /lib/security/privacyidea_pam.py[2396]:
TypeError: __
str_ returned non-string (type Error)
Jul 1 15:24:29 raspberrypi sshd[2389]: Accepted keyboard-interactive/pam
for pii
from 172.16.8.42 port 48571 ssh2
Jul 1 15:24:29 raspberrypi sshd[2389]: pam_unix(sshd:session): session
opened ff
or user pi by (uid=0)
Jul 1 15:24:29 raspberrypi systemd-logind[548]: New session c5 of user pi.
Jul 1 15:24:32 raspberrypi sshd[2412]: Received disconnect from
172.16.8.42: 111
: disconnected by user
Jul 1 15:24:32 raspberrypi sshd[2389]: pam_unix(sshd:session): session
closed ff
or user pi
Jul 1 15:24:32 raspberrypi systemd-logind[548]: Removed session c5.

I already test privacyidea-authorizedkeys command is workable.

root@raspberrypi:/etc/pam.d# privacyidea-authorizedkeys pi
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:732:
InsecureRequestWarning: Unverified HTTPS request is being made. Adding
certificate verification is strongly advised. See:
https://urllib3.readthedocs.org/en/latest/security.html (This warning will
only appear once by default.)
InsecureRequestWarning)
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQC/lZw1Abgxz8/TF8StOLfl/5rXZuSYilOJ7YdrGZO225wmSsdH/vAk7QRblgEtT0AIOiBnRGeVko4YWvc2xjM1iOTHtU+qyJhz59fCQdYxLTVLUg9yKD7f/CPDDss/px8ek/vNjBPPSRNursB9p8PvRz5B/0+9X+JR40UM3ZfDlOXZp5WahjjC47ioa/p/wH8/mXNhWf8UW0t+s4nsUghJ9Tp8JchyKZu7jIAgD1Y/XOZYEzN9D1msbjTC9MPYzw6xpg0VOtI0CrMb0SG65Y1yDvGMu4Fa9YiAuAKPHe5y26M2OoqJILn1UV2uRS3CXO/VH1TfGbI8VmM5v+kAP24b9MxkCo2aBb8+y9SpcPa82SaXTXEQlYmbLQgEvpftd3GLC7ABuEYIAegSbQPvxa1loJe+QH3KlLXgAL3qvqghwbssCpIc6nckhDRK5rcApNxTTS+yiDEsO41J51Ihb30dyuaQ1TskTpbsqDe0PDhSpg/+IkySBqg8/UI2KpaqOQXZZkERHKYXr8gfl/byS2yZ5OC6iVD9i7LVmd6KcIs7fOiX5FYJoPlYneY0jgOoH2X/65C72mCvgtf5PNU56linmstD++1NA0vmiBVaxrNdB61bnLmWkxfgYRtB6/FdphsiPfWRE+mvgAxWnGrqnMVV+QSMaZa+6IJZ0VDf3/CjLw==
harvey-chang@harveychang-VirtualBox