post comment: 2factorcos7.html

[rharmonson]

This issue is reserved for comments on article "2factorcos7.html" on rharmonson.github.io. Leave general comments here. If you are looking to contribute to a post, use the GitHub "Edit me" button on the page to fork and purpose changes, e.g. typos, corrections, additional content.

[dpal]

Hello,

Have you considered looking at native FreeIPA/IdM 2FA authentication support? It supports TOTP/HOTP tokens (Google Authenticatior, FreeOPT, Yubikey) natively without the need to add a pam module. This simplifies a deployment significantly. If you are interested to learn more about FreeIPA/IdM capabilities please let me know (dpal@redhat.com).

Thanks Dmitri

[rharmonson]

@wileycybrotie

My apologies for not responding earlier. Made a mental note.. then I lost it.

The solution I proposed is cheap and inexpensive but is not highly available. Your approach may work and I am very curious to know the final solution you picked and how well it worked.

If I was to solve the high-availability from a service level but ignore root access, I would look to a shared file system between two or more hosts like GlusterFS. No gotchas with them outside of each file systems limitation.

If you got access to a developer, you may want to look at centralizing all the information in a database then use the database specific replication feature between hosts. The beauty is you have also solved the need for the service to run under root.

Best of luck!

[mostaque444]

HI Thanks for your great effort with a very good effective solution. But I'm stack on 2FA part. Radius client taking authentication with "Password+google Authenticator Code" and and without google authenticator code. So users are authenticating with 2FA and without 2FA. I want to enforce 2FA. Could you please suggest. Using RedHat 7.

[rharmonson]

If I understand you correctly, radius is permitting the use of user account password only. Correct?

If true, review /etc/pam.d/radiusd. It should not have additional auth entries.

#%PAM-1.0
auth       requisite    pam_google_authenticator.so forward_pass
auth       required     pam_sss.so use_first_pass
account    required     pam_nologin.so
account    include      password-auth
session    include      password-auth

Also, I would review your radius configuration to ensure it is not permitting other authentication mechanisms outside of the one you configured.

[mostaque444]

HI Rharmonson, Thanks for your prompt reply. The mosta weird thing is IPAClient accepting any password for domain users not for local users. /etc/pam.d/radiusd files looks good as you wrote here. Which files you need to review more. U will attach those file. Please help and suggest

[rharmonson]

Please clarify "IPAClient accepting any password for domain users not for local users."

[mostaque444]

HI Rharmonson, I am writting you detail scenerio here. Please read it throughly. I deployed Radius Server which is integrated with Active Directory. Windows server joined with Active Directory and Linux server joined with Radius Server with IPA. But user Database stored in Active Directory. So every user information stored in Active Directory. Now problem is When a Active Directory user want to login in Linux Box he can login with any password. I mean if he insert a wrong password then he can login to the Linux Box also. I think SSSD service playing a role here. If I stop SSSD service then it will take only valid password but in this case kinit Admin is not working and user infromation are not getting from AD. I am attaching here SSD config file and others file under pam.d directory.

Pamd_radiusd.txt pamd_sshd.txt raddb_radius.txt sssd_sssd.txt

[mostaque444]

Hi Richard, One more update now its accepting valid credentials only. I think the issue was realm join and Adcli package which was not installed in Radius Server. But 2FA is not working at this moment. Please suggest. I want "password+google authenticator" as password

[rharmonson]

If all the dependencies including SSSD are working as expected, I would work your backwards to remove changes and test each component as described in the article. At this point, you resolved one problem, now its time to narrow the scope to the current problem.

Keep at it. You will get it.

[mostaque444]

Richard, My Bad luck I was happy on that time cause I felt I can narrow the scope. But facing another problem after realm join. kinit admin is not working. [root@ipa krb5kdc]# kinit admin kinit: Pre-authentication failed: Invalid argument while getting initial credentials Do you have any suggestion friend?

[rharmonson]

mostaque444, I wish I could help more but your environment differs from mine. Assuming you have a lab, I would advise backing up and starting again and carefully test each component.

I am sorry that I could not be of more assistance.

[mostaque444]

HI Richard, Came back again after reinstalling IPA server and Client. This time I can authenticate Password+OTP and Password Only. I want Password+OTP. Could you please suggest me the client end configuration or where I need look into?

[knamir]

Hi Richard, thanks for this awesome solution. It's works fine.

i've found a little bug (if is a bug) user can authenticate with AD password + google authenticator, but if he use put only google authenticator code for 2 or 3 time, he can connect without ad password.

so the user put only goggle code and receive error, reinsert the code for 2 times and the auth works.

if the user use only AD password can't auth, and this is correct.

i think it's beacuse the pap authentication that permit the auth, is it right?

Have you any clue to how fix it?

Thanks.