Setup Linux Client machine

Last time I checked, it worked.

I would usually modify the password-auth which is called in auth substack password-auth.
Create a privacyidea-auth. In this I would add after or replace the line

auth sufficient try_first_pass

with a call to privacyIDEA.

THen you can replace the auth substack with the privacyidea-auth call and check for other services like “login”.
Check the log file of pam/auth.
Go small steps, one after the other.

If you are fed up, use RADIUS and pam_radius.

I try pam_radius and the pin, like working with pam_privacy module, gets to the server in unicode format:

[DEBUG][privacyidea.models:361] hPin: 76dd4ec8cdf42e53f7cc5bfff159abb59a4e738a9b739ad647b05fa9bb9a1759, pin: u’\010\n\r\177’

Does anyone have this working on a Redhat box?

I really like this product, but I’m not able to get it to work to present it to my boss. My privacyidea server is authenticating using pam and radius and I have a local and a openldap realm with users and servers. can’t understand why both authentications methods send (from the client side) wrong formated hPin

So you want to do an SSH login against privacyIDEA or a local login on a Linux (Red Hat) machine?
Which one is it ssh or login?

Please describe in detail, what you are trying to do.
And send you PAM config.

I want to ssh login to a client Redhat server using privacyidea PAM to login. I have Radius configured also but have the same problem.

On the client server I got /etc/pam.d/sshd like:

[root@stldnrspapp01 ~]# cat /etc/pam.d/sshd
auth required
auth substack password-auth
#auth substack privacyidea-auth
auth include postlogin
auth suficient /usr/lib/python2.7/site-packages/privacyidea_pam-2.11dev0-py2.7.egg/ url= nosslverify debug prompt=privacyIDEAD_password try_first_pass

-auth optional prepare
account required
account include password-auth
#account include privacyidea-auth
password include password-auth
#password include privacyidea-auth

session required close
session required

session required open env_params
session required
session optional force revoke
session include password-auth
#session include privacyidea-auth
session include postlogin

-session optional prepare

I have troubleshooted and noticed that I can’t print the strpass variable. It appears in a strange format (blob data). I believe the problem is sending the correct pin and otp to privacyidea server.

From privacyidea server I have the message of wrong hPin sent and therefore the token increments a failure attampt and authentication fails