I installed PrivacyIdea on Ubuntu 22.0.4 and integrated servers running Ubuntu 16.x.
I followed the instructions but when authenticating, the OTP is always wrong. But when I tested the token on the GUI it was successful.
Can anyone assist me with this issue?
can you post the log (with debug enabled) of the pam module?
tail -f /var/log/auth.log
Mar 27 10:11:03 pi-u18 sshd[3223]: Invalid user namnd from 172.28.42.153 port 57892
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM adding faulty module: pam_winbind.so
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM unable to dlopen(pam_ecryptfs.so): /lib/security/pam_ecryptfs.so: cannot open shared object file: No such file or directory
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM adding faulty module: pam_ecryptfs.so
Mar 27 10:11:03 pi-u18 sshd[3223]: Postponed keyboard-interactive for invalid user namnd from 172.28.42.153 port 57892 ssh2 [preauth]
Mar 27 10:11:13 pi-u18 sshd[3225]: pam_unix(sshd:auth): check pass; user unknown
Mar 27 10:11:13 pi-u18 sshd[3225]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.28.42.153
Mar 27 10:11:15 pi-u18 sshd[3223]: error: PAM: Authentication failure for illegal user namnd from 172.28.42.153
Mar 27 10:11:15 pi-u18 sshd[3223]: Failed keyboard-interactive/pam for invalid user namnd from 172.28.42.153 port 57892 ssh2
Mar 27 10:11:15 pi-u18 sshd[3223]: Postponed keyboard-interactive for invalid user namnd from 172.28.42.153 port 57892 ssh2 [preauth]
Mar 27 10:11:24 pi-u18 sshd[3226]: pam_unix(sshd:auth): check pass; user unknown
Mar 27 10:11:24 pi-u18 sshd[3226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.28.42.153
Mar 27 10:11:25 pi-u18 sshd[3223]: error: PAM: Authentication failure for illegal user namnd from 172.28.42.153
Mar 27 10:11:25 pi-u18 sshd[3223]: Failed keyboard-interactive/pam for invalid user namnd from 172.28.42.153 port 57892 ssh2
Mar 27 10:11:25 pi-u18 sshd[3223]: Postponed keyboard-interactive for invalid user namnd from 172.28.42.153 port 57892 ssh2 [preauth]
Mar 27 10:11:30 pi-u18 sshd[3223]: Connection closed by invalid user namnd 172.28.42.153 port 57892 [preauth]
Mar 27 10:17:01 pi-u18 CRON[3237]: PAM unable to dlopen(pam_ecryptfs.so): /lib/security/pam_ecryptfs.so: cannot open shared object file: No such file or directory
Mar 27 10:17:01 pi-u18 CRON[3237]: PAM adding faulty module: pam_ecryptfs.so
Mar 27 10:17:01 pi-u18 CRON[3237]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 27 10:17:01 pi-u18 CRON[3237]: pam_unix(cron:session): session closed for user root
Mar 27 10:34:38 pi-u18 su[3263]: PAM unable to dlopen(pam_ecryptfs.so): /lib/security/pam_ecryptfs.so: cannot open shared object file: No such file or directory
Mar 27 10:34:38 pi-u18 su[3263]: PAM adding faulty module: pam_ecryptfs.so
My radius client configuration:
here are the per-package modules (the “Primary” block)
auth [success=3 default=ignore] pam_radius_auth.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
here’s the fallback if no module succeeds
auth requisite pam_deny.so
prime the stack with a positive return value if there isn’t one already;
this avoids us returning an error just because nothing sets a success code
since the modules above will each just jump around
auth required pam_permit.so
and here are more per-package modules (the “Additional” block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
~
vim /etc/pam_radius_auth.conf
server[:port] shared_secret timeout (s)
#127.0.0.1 secret 1
10.168.50.177:1812 123456a@ 10
#other-server other-secret 3
My topology
Privacy server on Ubuntu 22 (privacyidea-radius) → ubuntu client 16.x and 18.x (pam_radius).
I don’t know why it’s always wrong otp.
i do not see our pam being used and there are a lot of errors.
you might want to check the audit in privacyidea. i dont really know what you want to do, maybe you should get professional help
Create the user on the server (not the pi server) where you want to authenticate.
br
Julio
Mar 28 11:19:51 pi-u18 sshd[5767]: pam_radius_auth: Got user name dangnh@local
Mar 28 11:19:51 pi-u18 sshd[5762]: Postponed keyboard-interactive for invalid user dangnh@local from 172.28.42.207 port 54782 ssh2 [preauth]
Mar 28 11:20:04 pi-u18 sshd[5767]: pam_radius_auth: Sending RADIUS request code 1
Mar 28 11:20:05 pi-u18 sshd[5767]: pam_radius_auth: Got RADIUS response code 3
Mar 28 11:20:05 pi-u18 sshd[5767]: pam_radius_auth: authentication failed
Why did radius response code 3?
I can query to it with username and OTP from PrivcyIdea
root@pi-u18:~# echo User-Name = dangnh,User-Password =778817 | radclient -x -s 10.168.50.178 auth testing123
Sent Access-Request Id 132 from 0.0.0.0:56453 to 10.168.50.178:1812 length 46
User-Name = “dangnh”
User-Password = “778817”
Cleartext-Password = “778817”
Received Access-Accept Id 132 from 10.168.50.178:1812 to 0.0.0.0:0 length 48
Reply-Message = “privacyIDEA access granted”
Packet summary:
Accepted : 1
Rejected : 0
Lost : 0
Passed filter : 1
Failed filter : 0
Hello,
I think times are synchronized across all servers, as OTP validation depends on accurate time settings. The token configuration (TOTP/HOTP) matches what was successfully tested in the GUI. Check for any network connectivity issues and ensure firewall settings allow OTP validation traffic between PrivacyIdea and the Ubuntu 16.x servers. Review PrivacyIdea’s logs (/var/log/privacyidea/privacyidea.log) for any errors during OTP authentication attempts.