RHEL 7.5 pam configuration


#1

Hi,

I have a PI server set-up and have it resolving Active Directory users and hosts and have registered a google Authenticator token for a test account and successfully tested it.

I am now working on pam on the client side to test this out but, although I can see, via strace and other debugging that the privacyidea_pam.py script gets called, it does not appear to make any attempt to contact the server (tcpdump port 5000 doesn’t show any traffic sent out from the client), I also don’t see any error either, or anything at all in the server end log.

On the client side, the /etc/pam.d/password-auth config is currently -

cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_python.so /usr/local/sbin/privacyidea_pam.py url=http://REDACTED_IP:5000 prompt=PIN Authentication nosslverify
auth        required      pam_deny.so


# rpm -ql pam_python
/lib64/security/pam_python.so
/usr/share/doc/pam_python
/usr/share/doc/pam_python/ChangeLog.txt
/usr/share/doc/pam_python/README.txt
/usr/share/doc/pam_python/agpl-3.0.txt
/usr/share/doc/pam_python/pam-python.html
# rpm -qi pam_python
Name        : pam_python
Version     : 1.0.6
Release     : 2.1
Architecture: x86_64
Install Date: Mon 16 Jul 2018 14:37:49 UTC
Group       : System/Libraries
Size        : 96620
License     : AGPLv3+
Signature   : DSA/SHA1, Fri 16 Mar 2018 08:42:05 UTC, Key ID 51f2f00ce06f8c93
Source RPM  : pam_python-1.0.6-2.1.src.rpm
Build Date  : Fri 16 Mar 2018 08:42:01 UTC
Build Host  : build72
Relocations : (not relocatable)
Vendor      : obs://build.opensuse.org/home:zhonghuaren
URL         : http://pam-python.sourceforge.net
Summary     : Support for writing PAM modules in Python
Description :
pam-python is a PAM Module that runs the Python interpreter, thus allowing PAM
modules to be written in Python.```

#2

Hi,

Please try to put the prompt value in quotes so that pam wouldn’t confuse it as another option.
Also adding the debug option prints some more information in the “auth.log” (maybe it has a different name in centos).
And finally try to issue an authentication request from the shell (i.e. with the httpie package):
http --verify no POST https://YOUR_PI_URL:5000/validate/check user=USERNAME pass=OTPPIN

Hope it helps.
Paul


#3

Thanks Paul, much appreciated! The httpie test does confirm all is good with the back end service and communicating with it, so that’s cool.

One point though is it works with http and not https.

I also should say I erroneously said CentOS, the server and pam clients are running RHEL 7.5 and not CentOS.

The pam side, I have modified pasword-auth to this, but still no joy.

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_python.so /usr/local/sbin/privacyidea_pam.py url="http://IPREDACTED:5000" prompt="PIN" nosslverify
auth        required      pam_deny.so

#4
http --verify no POST http://IPREDACTED:5000/validate/check user=USER pass=PIN+TOKEN
HTTP/1.0 200 OK
Cache-Control: no-cache
Content-Length: 919
Content-Type: application/json
Date: Tue, 17 Jul 2018 07:42:30 GMT
Server: Werkzeug/0.14.1 Python/2.7.5

{
    "detail": {
        "message": "matching 1 tokens",
        "otplen": 6,
        "serial": "OATHSERIAL",
        "threadid": 139936905262912,
        "type": "hotp"
    },
    "id": 1,
    "jsonrpc": "2.0",
    "result": {
        "status": true,
        "value": true
    },
    "signature": "SIGTEXT",
    "time": 1531813349.946326,
    "version": "privacyIDEA 2.22.2",
    "versionnumber": "2.22.2"
}

#5

Ok, i have some more pointers:

  • Please check if SELinux is enabled and if so, disable it and reboot (SELINUX=disabled in /etc/selinux/config)
  • remove all the quotes, especially from the url since the script uses the parameters verbatim…
  • add the parameter debug at the end of the auth-line and watch the journal (journalctl --system -f)
  • and finally, make sure Your login-method uses the correct pam-stack (pasword-auth in Your case)
    This is how i got it working in CentOS 7

HTH
Paul


#6

Hi Paul,

I have tried the steps you outline above already to no avail.
SElinux being permanently disabled is not an option for the piece of work in question in any case.
I am now looking to use FreeRADIUS and pam_radius instead for 2FA for RHEL clients, hopefully I’ll have more success with that!


#7

OK, so finally figured out the root cause here and fix.
This is my working config now -

auth sufficient pam_python.so /usr/local/sbin/privacyidea_pam.py realm=scotgovtest url=http://IPREDACTED:5000 prompt=PIN nosslverify debug sqlfile=/tmp/pi.sql

I also needed some sshd config changes to allow the PIN challenge to work -

ChallengeResponseAuthentication yes

AuthenticationMethods keyboard-interactive

The main issue I had though is my own misunderstanding in that the ssh key authentication I had already set-up was superseding the python_pam one.

In the end, the requirement I have is AD authentication via sssd + OTP from PrivacyIdea, so I need to now take this further using a VM with that sssd/AD set-up in place and then configuring to enforce the need for both the AD password and the OTP from the token.