search

privacyidea / privacyidea-pam

Module for Linux PAM stack to authenticate users against privacyIDEA
5 stars 2 forks source link

About the problem of sftp using privacyidea-pam authentication module requires two logins #13

Closed tanzhenchao closed 7 months ago

tanzhenchao commented 7 months ago

We implemented a 2FA authentication for sftp, but we encountered some problems. Here are the detailed configuration steps: https://www.cmdschool.org/archives/23755

The pam configuration of the sftp client is as follows:

#%PAM-1.0
#auth       substack     password-auth
auth       required     pam_privacyidea.so url=https://privacyidea01.cmdschool.org realm=sftp.cmdschool.org sendEmptyPass pollTime=9000 offlineFile=/etc/privacyidea/pam.txt debug
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

We found that after the sftp user successfully logs in and browses to the user directory, when the user downloads or uploads a file, the login is triggered again.

The detailed client logs of the two are as follows, obtained using the "systemctl status sftpd.service" command:

Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Setting url=https://privacyidea01.cmdschool.org
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Setting realm=sftp.cmdschool.org
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Setting sendEmptyPass=true
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Setting pollTime=9000
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Setting offlineFile=/etc/privacyidea/pam.txt
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Setting debug=true
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Sending request to https://privacyidea01.cmdschool.org/validate/check with parameters:
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): pass=0 digits
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): realm=sftp.cmdschool.org
Apr 09 10:09:51 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): user=sftpUser01
Apr 09 10:10:03 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): {"detail": {"attributes": {"state": null, "valid_until": "2024-04-09 10:25:03.598208"}, "client_mode": "interactive", "message": "Enter the OTP from the Email:", "messages": ["Enter the OTP from the Email:"], "multi_challenge": [{"attributes": {"state": null, "valid_until": "2024-04-09 10:25:03.598208"}, "client_mode": "interactive", "message": "Enter the OTP from the Email:", "serial": "PIEM00008668", "transaction_id": "15373232034952258676", "type": "email"}], "serial": "PIEM00008668", "threadid": 140096788186880, "transaction_id": "15373232034952258676", "transaction_ids": ["15373232034952258676"], "type": "email", "preferred_client_mode": "interactive"}, "id": 2, "jsonrpc": "2.0", "result": {"authentication": "CHALLENGE", "status": true, "value": false}, "time": 1712628603.603895, "version": "privacyIDEA 3.8", "versionnumber": "3.8", "signature": "rsa_sha256_pss:14eff060d28acf9d9caeb4499885cb8da8d00eaea218a2b3c18d22ec95e02d2d06722435444f3e3b5d67bc6724c344bb19cb13aa35c4c4a5fbaf6c6ff343d7b7668a365220696e01dfe5f70153bef9609c28511d61b755692fe3cd1ab21bc05e6812b549eee8ea9ffa737648cdb1954a56bf6233682b135c1a018094c9f92305290d4bbd04a1c37b4357bafbe7156f9dada10bbefb1ae2b4b468bd3dffcd2823f540c7d3efe4bcd5e83fee6e229ed887c4ad52381ca7f7f815f6e1c93a5d965975db84f8772a94fcb3a188f95f08c51bfb6e64b1163dcc5dcda0a62f2846d62a39ad988d12a4d9126d6c010cff855be229946e85afec2594d2f1697ff31b238d"}
Apr 09 10:10:30 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Offline retval: 5
Apr 09 10:10:30 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): Sending request to https://privacyidea01.cmdschool.org/validate/check with parameters:
Apr 09 10:10:30 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): pass=6 digits
Apr 09 10:10:30 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): realm=sftp.cmdschool.org
Apr 09 10:10:30 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): transaction_id=15373232034952258676
Apr 09 10:10:30 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): user=sftpUser01
Apr 09 10:10:30 sftp01.cmdschool.org pam_privacyidea[16429]: pam_privacyidea(sftpd:auth): {"detail": {"message": "Found matching challenge", "serial": "PIEM00008668", "threadid": 140096712652544}, "id": 2, "jsonrpc": "2.0", "result": {"authentication": "ACCEPT", "status": true, "value": true}, "time": 1712628630.4699645, "version": "privacyIDEA 3.8", "versionnumber": "3.8", "signature": "rsa_sha256_pss:9f14db57edb9c7566873a03a96eece2e08c813852ff94147e30fcde6264b40bf0f42a3f442155942288c596f643dc6da7b73ad58bfb2b7b37f933d188436698fed629192909b0fc6f5d1b2c02b879d39efa9827a03e4de49b4bc2c1b93d5c70782a8d8e8cb3e3def221972935a50f54baa00010d64715112b25d9d4da10044d1c24d1bfe40ea20aee27c206c05f3060f78a335afc4cad3a71f6df21319e9e659d4e9404a816a5b545b174637dd0d7c74d71dd4eba06158e1bddfc4740551f154b57dd352efbbfa7c6a832d19095e7d5fa0eb2c0f6448fdc5cb6b7cf2cbd63ef70e2d050026284df7d233fc8509156bc3fb5b8d3b862ac1a26ff3ec5dec6f9e9a"}
Apr 09 10:10:30 sftp01.cmdschool.org sftpd[16427]: Accepted keyboard-interactive/pam for sftpUser01 from 10.168.0.165 port 48517 ssh2
Apr 09 10:10:30 sftp01.cmdschool.org sftpd[16427]: pam_unix(sftpd:session): session opened for user sftpUser01(uid=1000) by (uid=0)

We don't know what's going on? Can you help?

nilsbehlen commented 7 months ago

Hi, what is the outcome you expected?

tanzhenchao commented 7 months ago

Hi, what is the outcome you expected?

We want to achieve that after the sftp user enters the username and password, the user receives a one-time token by email, and then the user can upload and download files normally after entering the received email one-time token and passing the authentication. Our current configuration allows users to log in normally, but if they upload or download files, they will be prompted to authenticate again.

tanzhenchao commented 7 months ago

I noticed that the following URL requirements are very similar to ours: https://github.com/privacyidea/privacyidea-pam/blob/main/samples/privacyidea-2nd-auth But there are some differences from our requirements. What we need to achieve is to trigger the sending of a one-time email token after entering the password. I think I need to modify the configuration and test it after referring to the above link again.

nilsbehlen commented 7 months ago

You have sendEmptyPass set, so the mail should be triggered, provided you configured the PIN of the email token to be empty. Then your problem is that you do not want to re-authenticate?

tanzhenchao commented 7 months ago

You have sendEmptyPass set, so the mail should be triggered, provided you configured the PIN of the email token to be empty. Then your problem is that you do not want to re-authenticate?

Yes, this problem has been bothering me a lot, and I don't know how to solve it.

tanzhenchao commented 7 months ago

Hello! We'd like to know whether this issue is a software bug or can be fixed by tuning PAM modules or parameters like in the example below? https://github.com/privacyidea/privacyidea-pam/blob/main/samples/privacyidea-2nd-auth

tanzhenchao commented 7 months ago

Hi nilsbehlen I think we misunderstood before. We tested file upload using the sftp command line today and the authentication will not be triggered again, so the problem lies in the FileZilla client. The following is the process of our command line test:

# sftp -P 115 'will@cmdschool.org'@sftp.cmdschool.org
(will@cmdschool.org'@sftp.cmdschool.org) Password: 
(will@cmdschool.org'@sftp.cmdschool.org) Enter the OTP from the Email:
Connected to sftp.cmdschool.org.
sftp> ls
myhome  
sftp> cd myhome/
sftp> ls
dbeaver-ce_22.1.2_amd64.deb   
sftp> lcd /home/will/Downloads/
sftp> put  www.cmdschool.org_nginx.zip
Uploading www.cmdschool.org_nginx.zip to /myhome/www.cmdschool.org_nginx.zip
www.cmdschool.org_nginx.zip                                                                100% 8628   571.8KB/s   00:00    
sftp> exit
tanzhenchao commented 7 months ago

This issue has been reported to the FileZilla client: https://forum.filezilla-project.org/viewtopic.php?f=2&t=58476&p=189154#p189154

tanzhenchao commented 7 months ago

We found that the new versions of WinSCP and Bitvise SSH Client can perfectly solve this problem.

nilsbehlen commented 7 months ago

Hi, that is good to hear. I will close this issue then, if there is no concrete problem with this software.