RSA key + TOTP authentication problem

Hello,

I’ve successfully set up SSH key base authentication with privacyIDEA but I
have problem with TOTP auth.
I’ve been using radius and it’s configuration looks like this on
privacyIDEA server:
client clientprivacyIDEA {
ipaddr = 192.168.1.123
netmask = 24
secret = lewandowskim
}

On client I’ve added this line in /etc/pam.d/sshd:
@include otp-auth

and my otp-auth file looks like this:
auth [success=1 default=ignore] pam_radius_auth.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

also my pam_radius_auth.conf is like:
192.168.1.123 lewandowskim 5

And when I try to login I’ve olny use RSA key and in logs I receive
following info:
[INFO][privacyidea.lib.applications.ssh:89] Token u’TOTP0001653E’, type
u’totp’ is not supported bySSH application module

How can I fix it?

Thanks,
Michal

I also forgot to mention that I’m using Ubuntu 14.04.

I’ve tested normal authentication only via RSA key and it’s work fine.
Accually I must attach some application because in other way privacyIDEA
don’t allow me to attach machine to TOTP token.
I’ve check radius log and on privacyIDEA server it receive some thing like
this:

Error: Failed binding to authentication address * port 1812: Address
already in use
Error: /etc/freeradius/radiusd.conf[240]: Error binding to port for 0.0.0.0
port 1812
Error: Ignoring request to authentication address * port 1812 from unknown
client 192.168.43.96 port 49567

I’ll also attach my radius server configuration.

Hello Michal,

you are given a lot RADIUS configuration, but did you take a look at the
RADIUS log?!

The log from the privacyIDEA tells, that you obviously have attached the
TOTP token the this client machine with the SSH application.
You do not need to do this - or you must not do this.
The “normal” TOTP token does not need to be attached.

1. verify normal authentication (e.g. REST API)
   → take a look at privacyIDEA log
2. verify RADIUS authentication (WITHOUT SSH!) e.g. radlicnt
   → take a loot at RADIUS log
3. If this is all working right, you can check SSH.
   → take a look at PAM log

This is the recommended way to narrow down a problem. ,-)

Kind regards
CorneliusAm Montag, den 11.07.2016, 14:08 -0700 schrieb Michał Lewndowski:

Hello,

I’ve successfully set up SSH key base authentication with privacyIDEA
but I have problem with TOTP auth.
I’ve been using radius and it’s configuration looks like this on
privacyIDEA server:
client clientprivacyIDEA {
ipaddr = 192.168.1.123
netmask = 24
secret = lewandowskim
}

On client I’ve added this line in /etc/pam.d/sshd:
@include otp-auth

and my otp-auth file looks like this:
auth [success=1 default=ignore] pam_radius_auth.so
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so

also my pam_radius_auth.conf is like:
192.168.1.123 lewandowskim 5

And when I try to login I’ve olny use RSA key and in logs I receive
following info:
[INFO][privacyidea.lib.applications.ssh:89] Token u’TOTP0001653E’,
type u’totp’ is not supported bySSH application module

How can I fix it?

Thanks,
Michal

Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/af8b4842-a577-4a1f-aa88-3e0d2ee63484%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Do not attach TOTP to a machine. There is no sense in doing this.

FreeRADIUS sometimes does not stop correctly. So you first need to kill
the other FreeRADIUS. Simple as that.
There is only FreeRADIUS listeing on port 1812.

Kind regards
CorneliusAm Dienstag, den 12.07.2016, 01:48 -0700 schrieb Michał Lewndowski:

I’ve tested normal authentication only via RSA key and it’s work fine.
Accually I must attach some application because in other way
privacyIDEA don’t allow me to attach machine to TOTP token.
I’ve check radius log and on privacyIDEA server it receive some thing
like this:

Error: Failed binding to authentication address * port 1812: Address
already in use
Error: /etc/freeradius/radiusd.conf[240]: Error binding to port for
0.0.0.0 port 1812
Error: Ignoring request to authentication address * port 1812 from
unknown client 192.168.43.96 port 49567

I’ll also attach my radius server configuration.

–
Please read the blog post about getting help
Getting help – privacyID3A.

For professional services and consultancy regarding two factor
authentication please visit
One Time Services - NetKnights - IT-Sicherheit - Zwei-Faktor-Authentisierung - Verschlüsselung

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
privacyIDEA Support Level

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/802e43ea-545a-4d62-bafb-075840f8583a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)