I have a PI server set-up and have it resolving Active Directory users and hosts and have registered a google Authenticator token for a test account and successfully tested it.
I am now working on pam on the client side to test this out but, although I can see, via strace and other debugging that the privacyidea_pam.py script gets called, it does not appear to make any attempt to contact the server (tcpdump port 5000 doesn’t show any traffic sent out from the client), I also don’t see any error either, or anything at all in the server end log.
On the client side, the /etc/pam.d/password-auth config is currently -
cat password-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_python.so /usr/local/sbin/privacyidea_pam.py url=http://REDACTED_IP:5000 prompt=PIN Authentication nosslverify auth required pam_deny.so # rpm -ql pam_python /lib64/security/pam_python.so /usr/share/doc/pam_python /usr/share/doc/pam_python/ChangeLog.txt /usr/share/doc/pam_python/README.txt /usr/share/doc/pam_python/agpl-3.0.txt /usr/share/doc/pam_python/pam-python.html # rpm -qi pam_python Name : pam_python Version : 1.0.6 Release : 2.1 Architecture: x86_64 Install Date: Mon 16 Jul 2018 14:37:49 UTC Group : System/Libraries Size : 96620 License : AGPLv3+ Signature : DSA/SHA1, Fri 16 Mar 2018 08:42:05 UTC, Key ID 51f2f00ce06f8c93 Source RPM : pam_python-1.0.6-2.1.src.rpm Build Date : Fri 16 Mar 2018 08:42:01 UTC Build Host : build72 Relocations : (not relocatable) Vendor : obs://build.opensuse.org/home:zhonghuaren URL : http://pam-python.sourceforge.net Summary : Support for writing PAM modules in Python Description : pam-python is a PAM Module that runs the Python interpreter, thus allowing PAM modules to be written in Python.```