Ill cut this short. I am trying to come up with a working solution for a SSH login using kerberos authentication over gssapi-with-mic and additionally the second factor provided by the privacyidea server. Of course, if the user has no kerberos credentials, he/she would have to authenticate first with his password then do the challenge-response (2nd Factor) through the privacyidea PAM plugin.
I did a dirty workaround for this workflow which basically functions. However, like previously said, a dirty- not-so-elegant way. My question for all would be this: Is there a way to trigger the challenge directly in the pam-plugin without first authenticating with PIN or Password from any source? - I think some already had this question before, i also did but its along with a different discussion and it is still unclear for me if the PAM-Plugin does trigger only the challenge.
To elaborate more, here is my setup:
- Ubuntu Xenial
- PrivacyIDEA 2.19.1-1xenial
- Token: Yubikey
- All tokens does not have PINs and Policy-Authentication-
In the sshd.conf, the following line below allows users to first authenticate with kerberos over gssapi-with-mic then do the 2FA over pam OR directly do PAM if no kerberos ticket is present.
... AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam keyboard-interactive:pam ...
/etc/pam.d/common-auth-2fa controls the flow of authentication modules:
auth requisite pam_succeed_if.so uid >= 1000 quiet_success # check if user already authenticated over gssapi-with-mic auth [success=1 default=ignore] pam_exec.so quiet log=/var/log/ssh-2fa-log /usr/bin/check_krb5_auth.sh # do password auth if no gssapi auth auth requisite pam_sss.so # privacyidea pam should trigger challenge only because of 'otppin:none' in policy auth [success=1 default=bad] pam_python.so /lib/security/privacyidea_pam.py url=https://privacyideaserver realm=ssh_realm nosslverify debug prompt=Press_Return_key_to_continue auth requisite pam_deny.so # do check cleanup auth optional pam_exec.so quiet log=/var/log/ssh-2fa-log /usr/bin/cleanup_krb5_check.sh auth required pam_permit.so
So, the login workflow looks like this if i have a valid kerberos ticket. As you can see,
➜ ~ ssh username@privacyideaserver Authenticated with partial success. Press_Return_key_to_continue: please enter otp: iiifjhniflkubjhebebrkggruktlbnbvlnbijeruhcfc Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-96-generic x86_64) privacyideaserver%
I have set the prompt to
'Press_Return_key_to_continue' because i was expecting only the triggered challenge which is
'please enter otp:' to be prompted since i have a ‘otppin:none’ in my policy-authentication. After pressing the Return/Enter key, the pam-plugin triggers gets the challenge and from there I can authenticate further using the Yubikey.
I also tried to just remove the parameter ‘prompt’ in my privacyidea_pam.py and it still asks for the first step:
auth [success=1 default=bad] pam_python.so /lib/security/privacyidea_pam.py url=https://privacyideaserver realm=ssh_realm nosslverify debug
same as before, log in with valid kerberos credentials, then
'Your OTP:' is prompted, i just press the Return/Enter key, then it prompts
'please enter otp:' and i press the yubikey to authenticate.
➜ ~ ssh username@privacyideaserver Authenticated with partial success. Your OTP: please enter otp: iiifjhniflkutkctgddgkcjbildjfgedkttfglckfuvf Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-96-generic x86_64) privacyideaserver%
What i was expecting was somehow this:
➜ ~ ssh username@privacyideaserver Authenticated with partial success. please enter otp: iiifjhniflkutkctgddgkcjbildjfgedkttfglckfuvf Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-96-generic x86_64) privacyideaserver%