Re: Strange pam configuration help needed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On Wed, 2018-01-31 at 14:18 -0700, Orion Poplawski wrote:
>> I'm trying to work out a pam configuration that will always require a
>> OTP via
>> google_authenticator in combination with any other auth method -
>> gssapi, key,
>> or password.
>> 
>> I've tried to this with this sshd config:
>> 
>> # Kerberos / Public Key + PAM
>> AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam
>> publickey,keyboard-interactive:pam password,keyboard-interactive:pam
>> 
>> and pam:
>> 
>> 
>> 
>> auth       substack     password-auth
>> 
>> 
>> The idea being that if ga prompts for a token, we're done, and sshd's
>> password
>> auth handles the password case.
> 
> But SSH password auth also calls the PAM stack. So I am not actually
> sure this would work.

It does, but it calls it with a password specified which I believe by-passes
the prompts for auth tokens.

>> But with this config, sshd fails with:
>> 
>> sshd[23879]: pam_sss(sshd:auth): authentication success; logname=
>> uid=0 euid=0
>> tty=ssh ruser= rhost= user=USER
>> sshd[23879]: debug1: PAM: password authentication failed for USER:
>> The return
>> value should be ignored by PAM dispatch
>> 
>> 
>> Which may be a bug/limitation in sshd, but I don't think I'm able to
>> fix that.
> 
> Would 'auth sufficient pam_google_authenticator.so' work?

That results in users without OTPs configured being prompted for their regular
passwords twice when going the password route (since I'm also specifying
nullok) - once by sshd (via password) and once via pam (through the keyboard
route).  But perhaps I just don't support that case.

>> At this point I'm think of something like:
>> 
>> auth       [success=done
>> new_authtok_reqd=done]    pam_google_authenticator.so
>> auth       sufficient   "return success if no auth token is given"
>> auth       substack     password-auth
>> 
>> But how to achieve it?  Thanks.
>> 

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@xxxxxxxx
Boulder, CO 80301                 https://www.nwra.com/

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list



[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux