search

zhaow-de / pam-keycloak-oidc

PAM module connecting to Keycloak for user authentication using OpenID Connect/OAuth2, with MFA/2FA/TOTP support
MIT License
61 stars 13 forks source link

Pam not working as expected #4

Closed MarcelCoding closed 2 years ago

MarcelCoding commented 2 years ago

Hi, I am trying to use your project. But for me it is not working. I did a bit of debugging and found out that pam isn't providing the password to the stdin. The environment variable PAM_USER is set.

FROM ubuntu

RUN apt-get update && apt-get install -y openssh-server nano wget \
 && mkdir -p /opt/pam-keycloak-oidc \
 && wget -O /opt/pam-keycloak-oidc/pam-keycloak-oidc https://github.com/zhaow-de/pam-keycloak-oidc/releases/download/r1.1.5/pam-keycloak-oidc.linux-amd64 \
 && apt-get purge -y wget \
 && chmod +x /opt/pam-keycloak-oidc/pam-keycloak-oidc \
 && mkdir -p /run/sshd

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]
#!/bin/sh

ssh-keygen -A

cat >  /opt/pam-keycloak-oidc/pam-keycloak-oidc.tml << EOF
# name of the dedicated OIDC client at Keycloak
client-id="demo-pam"
# the secret of the dedicated client
client-secret="57f0e684-a59d-404d-9906-bfe154e8f6ba"
# special callback address for no callback scenario
redirect-url="urn:ietf:wg:oauth:2.0:oob"
# OAuth2 scope to be requested, which contains the role information of a user
scope="pam_roles"
# name of the role to be matched, only Keycloak users who is assigned with this role could be accepted
vpn-user-role="demo-pam-authentication"
# retrieve from the meta-data at https://keycloak.example.com/auth/realms/demo-pam/.well-known/openid-configuration
endpoint-auth-url="http://pc-marcel:8084/auth/realms/master/protocol/openid-connect/auth"
endpoint-token-url="http://pc-marcel:8084/auth/realms/master/protocol/openid-connect/token"
# 1:1 copy, to 'fmt' substituion is required
username-format="%s"
# to be the same as the particular Keycloak client
access-token-signing-method="RS256"
# a key for XOR masking. treat it as a top secret
xor-key="scmi"
EOF

cat > /debug.sh << EOF
#!/bin/bash

echo a
echo \$(tr -d '\0' < /dev/stdin)
echo b \$PAM_USER c
EOF

chmod +x /tnt

cat /etc/pam.d/sshd

cat > /etc/pam.d/sshd << EOF
account required                        pam_permit.so
auth    [success=1 default=ignore]  pam_exec.so     expose_authtok  log=/var/log/pam-keycloak-oidc.log  /debug.sh
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
EOF

#/bin/bash
/usr/sbin/sshd -De
ssh admin@172.17.0.2

[marcel@pc-marcel ssh]$ sudo docker exec -it ssh cat /var/log/pam-keycloak-oidc.log
[sudo] password for marcel: 
*** Sun Aug  1 19:47:25 2021
a
INCO
b admin c
*** Sun Aug  1 19:47:32 2021
a
I
b admin c
[marcel@pc-marcel ssh]$

At the position of the I should be the password.

I tested it with the 8. step in your readme and it worked.

MarcelCoding commented 2 years ago

Unix user must be existing