Hi Sumit, The pam.d configuration is as configured by the CentOS 7.4 install and running ipa-client-install.
Here's the content of /etc/pam.d/sshd [root@hpch2fa01 ~]# cd /etc/pam.d [root@hpch2fa01 pam.d]# cat sshd #%PAM-1.0 auth required pam_sepermit.so auth substack password-auth auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare We also added one line to /etc/ssh/sshd, otherwise it's as configured by the CentOS 7.4 install and running ipa-client-install AuthenticationMethods keyboard-interactive It'd be nice if there's a simple config fix for this, and I recommend it's worked into the ipa-client-install helper script or authconfig. Regards, Aaron -----Original Message----- From: Sumit Bose via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org] Sent: Wednesday, 22 November 2017 8:11 PM To: freeipa-users@lists.fedorahosted.org Cc: Sumit Bose <sb...@redhat.com> Subject: [Freeipa-users] Re: Expired passwords and generating an OTP token On Wed, Nov 22, 2017 at 05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote: > Hello the List, > > > > This turned out to be a workflow issue, we still have a problem but > this first use case works. > > > > In the case of a user with an invalid password (none or expired) with > no OTP token they can reset their password and ask IPA to create an > OTP token for them. > > > > 1. Helpdesk agent uses FreeIPA API passwd method to issue a temporary > password and pass it to the user > 2. User uses ssh to login to 2FA host > 3. SSH forces user through the reset password process and closes > connection > 4. User is not able to login without a OTP Token. A correct result. > 5. User uses FreeIPA API otptoken-add method with new password to > generate & receive OTP token > 6. User is now able to SSH with password + OTP token. > > > > What isn't working is the case where a user has an invalid token (non, > expired, or just reset) and a valid OTP token. > > > > 1. (Optional, but puts user into required state) Helpdesk agent uses > FreeIPA API passwd method to issue a temporary password and pass it to > the user > 2. User uses ssh to login to 2FA host, which asks for temporary > password. > 3. SSH forces user through reser password process and closes > connection. > 4. User is now able to SSH with password + OTP poken > > > > In this case step 2 fails. The reset password process looks like this: How does your sshd PAM configuration looks like, e.g. /etc/pam.d/sshd (and included files). bye, Sumit > > > > login as: username > > Using keyboard-interactive authentication. > > Password: > > Access denied > > Using keyboard-interactive authentication. > > Password: > > Using keyboard-interactive authentication. > > Password expired. Change your password now. > > Current Password: > > Access denied > > > > The change password process fails. > > > > However, if we disable or delete their OTP token (which requires > FreeIPA admin, not helpdesk role) they're able to reset their > password. We don't want to have to give admin rights to the helpdesk agent > for this. > > > > This is also complicated by that the FreeIPA API changes behaviour: > > * With an expired/password user can not connect to the API, even to do > passwd to reset password > * With an OTP token, users have to use passwordOTPCODE to access the > API, which means they can't manage their otptoken if they've lost it > or want to disable it so they can reset their password because they > forgot it, or delete it. > > > > Is there a way of allowing users in the helpdesk group/role to be able > to disable/enable or delete OTP tokens? They don't need to see the > content, just allow users to restart the password and token request process. > > > > Is there a fix for the above workflow to allow a user with an OTP > token to reset their password? > > > > Regards, > > > > Aaron Hicks > > > > From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] > Sent: Tuesday, 21 November 2017 6:22 PM > To: freeipa-users@lists.fedorahosted.org > Subject: Expired passwords and generating an OTP token > > > > Hello the list, > > > > I think this is the last thing to make our terrible user management > model work. > > > > With a helpdesk role via the REST API we can reset a users password, > which is expired, because this is the right thing to do. > > > > These users are expected to log into a node with 2FA using an OTP > token generated by FreeIPA. This works if a user has a valid password and a > token. > This is the only machine they have access to, as it's they lander > node. They can not reach the FreeIPA web interface. They can use the > FreeIPA API via our customer management system (CMS) either as them > self or as a helpdek agent on their behalf. The CMS auth is SAML via > federated shibboleth, so does not use our FreeIPA credentials. > > > > However, we have few use cases we need to work: > > > > Can a user generate an OTP token when their password is expired? > > > > Can a a user reset their password when they do not have an OTP token? > > > > Can a user reset their password when they can't log in to get the > secret from thier OTP token? > > > > I think the shortest routes would be: > > > > - if a user could reset an expired password via the FreeIPA API, then > use the otptoken_add method to create one all via our CMS. > > > > - if a user could reset thier password at the ssh login prompt if they > have no token or don't have thier token. Then add a token via our CMS. > > > > > > Regards, > > > > Aaron > > > > Get Outlook for iOS <https://aka.ms/o0ukef> > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org