search

privacyidea / pam_python

Add two factor authentication to PAM via privacyIDEA
18 stars 18 forks source link

How to configure PAM file with an LDAP auth? #5

Closed francesco-ficarola closed 6 years ago

francesco-ficarola commented 6 years ago

Hello,

we are testing PrivacyIDEA for a 2FA with TOTP. We'd like to access in SSH by requesting both the LDAP password and TOTP code. The testing linux server is a Debian Server and it is joined to our AD domain using PowerBroker Identity Service Open (pbis-open) software. PrivacyIDEA+FreeRadius are installed on an Ubuntu Server having the IP 192.168.10.84.

The first part of /etc/pam.d/sshd (Debian Server) is the following:

@include common-auth
auth requisite pam_python.so /usr/local/lib/python2.7/dist-packages/privacyidea_pam-2.11.dev0-py2.7.egg/privacyidea_pam.py url=https://192.168.10.84 nosslverify prompt=Enter your OTP:

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Standard Un*x authorization.
@include common-account
[...]

The common-auth file included in the above PAM file has the following content:

auth    [success=2 default=ignore]      pam_lsass.so
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

The module pam_lsass.so should be the one used by PBIS.

So, using the above configuration the authentication fails. The shell properly asks for Password and OTP code, but then return Access Denied. We also run tcpdump to see if the Debian Server sends any packet to the PrivacyIDEA server, but no packet is shown:

tcpdump -i ens33 -nnvvA src host 192.168.10.80 and dst host 192.168.10.84

We also notice the following code in the python file "privacyidea_pam.py":

self. sslverify = not config.get("nosslverify", False) # --> Line 75

There's a whitespace between self. and verify... is that normal?

Thanks, Francesco

francesco-ficarola commented 6 years ago

Ok, I found this in the syslog logfile:

Jan 11 15:43:26 debian-box sshd: Traceback (most recent call last):#012  File "/usr/local/lib/python2.7/dist-packages/privacyidea_pam-2.11.dev0-py2.7.egg/privacyidea_pam.py", line 279, in pam_sm_authenticate#012    rval = Auth.authenticate(pamh.authtok)#012  File "/usr/local/lib/python2.7/dist-packages/privacyidea_pam-2.11.dev0-py2.7.egg/privacyidea_pam.py", line 101, in authenticate#012    if check_offline_otp(self.user, password, self.sqlfile, window=10):#012  File "/usr/local/lib/python2.7/dist-packages/privacyidea_pam-2.11.dev0-py2.7.egg/privacyidea_pam.py", line 339, in check_offline_otp#012    conn = sqlite3.connect(sqlfile)#012OperationalError: unable to open database file

So I created the file /etc/privacyidea/pam.sqlite and now it works!

Anyway, just for curiosity, what about the question on the whitespace?

Thanks, Francesco

cornelinux commented 6 years ago

whitespace is not normal.

please consider posting questions to https://community.privacyidea.org. This is probably a better place to also find configuration issues, later. You will also address more users.