Hell everybody,
we are using privacyIDEA 3.2.1 and i’m trying to setup SSH Key Management.
In privacyID3A everything is ready: User Resolver, Realm, Host Resolver, Hosts, SSH Key.
On the client is privacyideaadm for python3 installed (via git) and after some error message suppressing, it can pull the keys from the server:
#!/bin/bash
/opt/rh/rh-python36/root/usr/bin/privacyidea-authorizedkeys $1 2>&1 | grep -v "^/opt/rh/rh-python36/" | grep -v InsecureRequestWarning
/usr/local/bin/getauthkeys root
ssh-rsa......
So this works. Now i trying to setup the 2FA on a Centos 7 machine.
Therefor i installed first pam_python from https://github.com/privacyidea/pam_python and pam-python-1.0.7.
The installation was easy, i just needed to install some more packages like sphinx or pam-devel, but in the end i’ve got a pam_python.so for my PAM System.
Now i’m stuck at the usage of the PAM module and sshd:
In /etc/pam.d/sshd i have:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
auth requisite pam_python.so /opt/pam_python/build/lib/privacyidea_pam.py url=https://otp-server nosslverify prompt=privacyIDEA_Authentication debug
In my sshd_config:
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin yes
ChallengeResponseAuthentication no
PasswordAuthentication yes
PubkeyAuthentication yes
StrictModes no
IgnoreRhosts yes
PermitEmptyPasswords no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
MACs hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160
X11Forwarding yes
X11UseLocalhost yes
AllowTcpForwarding yes
PrintMotd no
MaxAuthTries 12
MaxStartups 100
Subsystem sftp /usr/local_rwth/sbin/sftp-server
ClientAliveInterval 60
AcceptEnv XAUTHORITY REMOTEUSER REAL_USERNAME GRSH_TASK_ID PRIVATE_* R_SKIP_PROFILES
AllowUsers root *@localhost *@machine
AuthorizedKeysFile none
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommand /usr/local/bin/getauthkeys
But sshd does not ask for my otp. Is something wrong in my configuration? Did i miss a step?
Regards
Stephan