Hi Everyone,
Ill cut this short. I am trying to come up with a working solution for a SSH login using kerberos authentication over gssapi-with-mic and additionally the second factor provided by the privacyidea server. Of course, if the user has no kerberos credentials, he/she would have to authenticate first with his password then do the challenge-response (2nd Factor) through the privacyidea PAM plugin.
I did a dirty workaround for this workflow which basically functions. However, like previously said, a dirty- not-so-elegant way. My question for all would be this: Is there a way to trigger the challenge directly in the pam-plugin without first authenticating with PIN or Password from any source? - I think some already had this question before, i also did but its along with a different discussion and it is still unclear for me if the PAM-Plugin does trigger only the challenge.
To elaborate more, here is my setup:
- Ubuntu Xenial
- PrivacyIDEA 2.19.1-1xenial
- MySQL
- Token: Yubikey
- All tokens does not have PINs and Policy-Authentication-
'otppin:none'
is set
In the sshd.conf, the following line below allows users to first authenticate with kerberos over gssapi-with-mic then do the 2FA over pam OR directly do PAM if no kerberos ticket is present.
...
AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam keyboard-interactive:pam
...
/etc/pam.d/common-auth-2fa controls the flow of authentication modules:
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
# check if user already authenticated over gssapi-with-mic
auth [success=1 default=ignore] pam_exec.so quiet log=/var/log/ssh-2fa-log /usr/bin/check_krb5_auth.sh
# do password auth if no gssapi auth
auth requisite pam_sss.so
# privacyidea pam should trigger challenge only because of 'otppin:none' in policy
auth [success=1 default=bad] pam_python.so /lib/security/privacyidea_pam.py url=https://privacyideaserver realm=ssh_realm nosslverify debug prompt=Press_Return_key_to_continue
auth requisite pam_deny.so
# do check cleanup
auth optional pam_exec.so quiet log=/var/log/ssh-2fa-log /usr/bin/cleanup_krb5_check.sh
auth required pam_permit.so
So, the login workflow looks like this if i have a valid kerberos ticket. As you can see,
➜ ~ ssh username@privacyideaserver
Authenticated with partial success.
Press_Return_key_to_continue:
please enter otp: iiifjhniflkubjhebebrkggruktlbnbvlnbijeruhcfc
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-96-generic x86_64)
privacyideaserver%
I have set the prompt to 'Press_Return_key_to_continue'
because i was expecting only the triggered challenge which is 'please enter otp:'
to be prompted since i have a ‘otppin:none’ in my policy-authentication. After pressing the Return/Enter key, the pam-plugin triggers gets the challenge and from there I can authenticate further using the Yubikey.
I also tried to just remove the parameter ‘prompt’ in my privacyidea_pam.py and it still asks for the first step:
auth [success=1 default=bad] pam_python.so /lib/security/privacyidea_pam.py url=https://privacyideaserver realm=ssh_realm nosslverify debug
same as before, log in with valid kerberos credentials, then 'Your OTP:'
is prompted, i just press the Return/Enter key, then it prompts 'please enter otp:'
and i press the yubikey to authenticate.
➜ ~ ssh username@privacyideaserver
Authenticated with partial success.
Your OTP:
please enter otp: iiifjhniflkutkctgddgkcjbildjfgedkttfglckfuvf
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-96-generic x86_64)
privacyideaserver%
What i was expecting was somehow this:
➜ ~ ssh username@privacyideaserver
Authenticated with partial success.
please enter otp: iiifjhniflkutkctgddgkcjbildjfgedkttfglckfuvf
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-96-generic x86_64)
privacyideaserver%
Regards,