Last time I checked, it worked.
I would usually modify the password-auth which is called in auth substack password-auth.
Create a privacyidea-auth. In this I would add after or replace the line
auth sufficient pam_unix.so try_first_pass
with a call to privacyIDEA.
THen you can replace the auth substack with the privacyidea-auth call and check for other services like “login”.
Check the log file of pam/auth.
Go small steps, one after the other.
If you are fed up, use RADIUS and pam_radius.
I try pam_radius and the pin, like working with pam_privacy module, gets to the server in unicode format:
[DEBUG][privacyidea.models:361] hPin: 76dd4ec8cdf42e53f7cc5bfff159abb59a4e738a9b739ad647b05fa9bb9a1759, pin: u’\010\n\r\177’
Does anyone have this working on a Redhat box?
I really like this product, but I’m not able to get it to work to present it to my boss. My privacyidea server is authenticating using pam and radius and I have a local and a openldap realm with users and servers. can’t understand why both authentications methods send (from the client side) wrong formated hPin
So you want to do an SSH login against privacyIDEA or a local login on a Linux (Red Hat) machine?
Which one is it ssh or login?
Please describe in detail, what you are trying to do.
And send you PAM config.
I want to ssh login to a client Redhat server using privacyidea PAM to login. I have Radius configured also but have the same problem.
On the client server I got /etc/pam.d/sshd like:
[root@stldnrspapp01 ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
#auth substack privacyidea-auth
auth include postlogin
auth suficient pam_python.so /usr/lib/python2.7/site-packages/privacyidea_pam-2.11dev0-py2.7.egg/privacyidea_pam.py url=https://stldnrsppvc01.truphone.com nosslverify debug prompt=privacyIDEAD_password try_first_pass
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
#account include privacyidea-auth
password include password-auth
#password include privacyidea-auth
session required pam_selinux.so close
session required pam_loginuid.so
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
#session include privacyidea-auth
session include postlogin
-session optional pam_reauthorize.so prepare
I have troubleshooted privacyidea_pam.py and noticed that I can’t print the strpass variable. It appears in a strange format (blob data). I believe the problem is sending the correct pin and otp to privacyidea server.
From privacyidea server I have the message of wrong hPin sent and therefore the token increments a failure attampt and authentication fails