It’s my firt time using Privacyidea and I have a very simple question for who can help.
I have installed a PrivaryIdea server and a Openldap server. Openldap is a realm and I can authenticate on PrivacyIdea GUI using LDAP users. Now I have a third linux server that I want to connect to privacyIdea box for SSH authentication. I’ve try to configure my client to authenticate to a normal ldap server but port 389 is not listning on Privacyidea box. I can’t understand if I can use the Privacy_pam module or if I need additionaly to set up a freeradius. I’m a bit confused. Can you help me pls?
welcome to privacyIDEA.
An application has different possibilities to use privacyIDEA for authentication.
Your application, that wants to use privacyIDEA for 2FA, is the SSH server.
The SSH server will use the PAM stack for authentication.
So you have two possibilities to talk to privacyIDEA:
A) privacyidea_pam
You can use the privacyIDEA PAM module which communitcates to privacyIDEA directly via the https REST API against the endpoint /validate/check.
You would do this, if privacyidea_pam works out for you well and if you do not need RADIUS at any other point.
B) RADIUS
You can use the freeradius pam module, that comes with the distribution of your SSH server.
In this case you have to install the FreeRADIUS with the privacyIDEA RADIUS plugin on the privacyIDEA machine.
The PAM stack will communicate via the RADIUS protocol to FreeRADIUS, which will pass the request to privacyIDEA (via the REST API).
You will choose this one, if it is easier for you to setup the default pam_radius on the SSH machine and if you can use the RADIUS server for other purposes like VPN…
Thank you for your quick and clear answer. I’ve googled the www searching how to install privacyIDEA pam module on CentOS and I haven´t found any repo with it. Is it available only for Ubunto flavour?
I believe I also have to install pam_python right? I mean. I allready intalled pam_python_master from the above link but it is giving the error that the pam_python is missing:
PAM unable to dlopen(/usr/lib64/security/pam_python.so): /usr/lib64/security/pam_python.so: cannot open shared object file
I have install it the pam_module on https://github.com/privacyidea/pam_python and added auth requisite pam_python.so /path/to/modules/privacyidea-pam.py but I had the error “PAM unable to dlopen(/usr/lib64/security/pam_python.so): /usr/lib64/security/pam_python.so: cannot open shared object file”. I than installed pam_python pam-python-1.0.6-1 and the error is gone. But seems like pam module is never called to authentication. I add the following lines on the authentication files:
Aug 29 16:24:20 stldnrspapp01 sshd[14427]: debug1: PAM: initializing for “rsilva”
Aug 29 16:24:20 stldnrspapp01 sshd[14427]: debug1: PAM: setting PAM_RHOST to “gateway”
Aug 29 16:24:20 stldnrspapp01 sshd[14427]: debug1: PAM: setting PAM_TTY to “ssh”
Aug 29 16:24:20 stldnrspapp01 sshd[14427]: debug1: userauth_send_banner: sent [preauth]
Aug 29 16:24:37 stldnrspapp01 sshd[14427]: debug1: userauth-request for user rsilva service ssh-connection method password [preauth]
Aug 29 16:24:37 stldnrspapp01 sshd[14427]: debug1: attempt 1 failures 0 [preauth]
Aug 29 16:24:37 stldnrspapp01 sshd[14427]: privacyidea_pam: running try_first_pass
Aug 29 16:24:37 stldnrspapp01 sshd[14427]: Traceback (most recent call last):
le “/usr/lib/python3.4/site-packages/privacyidea_pam-2.11.dev0-py3.4.egg/privacyidea_pam.py”, line 329, in pam_sm_authenticate
rval = Auth.authenticate(pamh.authtok)
File “/usr/lib/python3.4/site-packages/privacyidea_pam-2.11.dev0-py3.4.egg/privacyidea_pam.py”, line 140, in authenticate
r, serial = check_offline_otp(self.user, password, self.sqlfile, window=10)
File “/usr/lib/python3.4/site-packages/privacyidea_pam-2.11.dev0-py3.4.egg/privacyidea_pam.py”, line 389, in check_offline_otp
conn = sqlite3.connect(sqlfile)
** OperationalError: unable to open database file
Aug 29 16:24:37 stldnrspapp01 sshd[14427]: privacyidea_pam: unable to open database file
Aug 29 16:24:37 stldnrspapp01 sshd[14427]: pam_unix(sshd:auth): check pass; user unknown
Aug 29 16:24:37 stldnrspapp01 sshd[14427]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gateway
Aug 29 16:24:40 stldnrspapp01 sshd[14427]: debug1: PAM: password authentication failed for an illegal user: User not known to the underlying authentication module
Aug 29 16:24:40 stldnrspapp01 sshd[14427]: Failed password for invalid user rsilva from 10.21.197.209 port 49512 ssh2
can you help me trobleshooting this please?
Why do I need a local DB on the client machine?
ok, i Got it. I’ve to troubleshoot the python pam and found that selinux was not permiting the file to be created. almost done to get my PoC working. Now my user from ldap realm, using a HOTP token is giving a wrong PIN error. I read that from default offline authentication expectes pin+token. The test on the token site works fine but not when debuging authentication on Privacyidead appliance:
[DEBUG][privacyidea.lib.token:197] Exiting check_token_list with result (False, {‘message’: ‘wrong otp pin’})
Entering get_action_values with arguments (<privacyidea.lib.policy.PolicyClass object at 0x7f80489ee910>,) and keywords {‘realm’: u’ldap_rsp’, ‘client’: ‘10.21.197.211’, ‘user’: u’rsilva’, ‘resolver’: u’ldapserver’, ‘action’: ‘auth_max_success’, ‘scope’: ‘authorization’, ‘unique’: True}
not sure what’s wrong now!!! Is it a policy missing?
Your PIN is wrong. That we know. But how should we know why?
It depends on your authentication policies and on what you enter at the authentication step.
Note, that in the PAM stack you have to enter “PIN+OTP” in one step.
Please tell which authentication policies you have defined!
I’ve installed a second client server, this time I did not install nothing from python 3 and the machine is trying to validate the otp pin with Privacyidea server. The otp pin is always wrong, because is delivered on the same wrong format. Any idea guys?