Hi Sumit,

Here is /etc/pam.d/password-auth I missed that it was an include, an that you 
wanted it too, again it's as installed bt CentOS 7.4 and ipa-client-install

[root@hpch2fa01 pam.d]# cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 
quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only 
retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass 
use_authtok
password    sufficient    pam_sss.so use_authtok


password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

-----Original Message-----
From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz] 
Sent: Wednesday, 22 November 2017 9:19 PM
To: 'FreeIPA users list' <freeipa-users@lists.fedorahosted.org>
Cc: 'Sumit Bose' <sb...@redhat.com>
Subject: RE: [Freeipa-users] Re: Expired passwords and generating an OTP token

Hi Sumit,

The pam.d configuration is as configured by the CentOS 7.4 install and running 
ipa-client-install. 

Here's the content of /etc/pam.d/sshd

[root@hpch2fa01 ~]# cd /etc/pam.d
[root@hpch2fa01 pam.d]# cat sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the 
user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

We also added one line to /etc/ssh/sshd, otherwise it's as configured by the 
CentOS 7.4 install and running ipa-client-install

AuthenticationMethods keyboard-interactive

It'd be nice if there's a simple config fix for this, and I recommend it's 
worked into the ipa-client-install helper script or authconfig.

Regards,

Aaron

-----Original Message-----
From: Sumit Bose via FreeIPA-users [mailto:freeipa-users@lists.fedorahosted.org]
Sent: Wednesday, 22 November 2017 8:11 PM
To: freeipa-users@lists.fedorahosted.org
Cc: Sumit Bose <sb...@redhat.com>
Subject: [Freeipa-users] Re: Expired passwords and generating an OTP token

On Wed, Nov 22, 2017 at 05:16:05PM +1300, Aaron Hicks via FreeIPA-users wrote:
> Hello the List,
> 
>  
> 
> This turned out to be a workflow issue, we still have a problem but 
> this first use case works.
> 
>  
> 
> In the case of a user with an invalid password (none or expired) with 
> no OTP token they can reset their password and ask IPA to create an 
> OTP token for them.
> 
>  
> 
> 1.    Helpdesk agent uses FreeIPA API passwd method to issue a temporary
> password and pass it to the user
> 2.    User uses ssh to login to 2FA host
> 3.    SSH forces user through the reset password process and closes
> connection
> 4.    User is not able to login without a OTP Token. A correct result.
> 5.    User uses FreeIPA API otptoken-add method with new password to
> generate & receive OTP token
> 6.    User is now able to SSH with password + OTP token.
> 
>  
> 
> What isn't working is the case where a user has an invalid token (non, 
> expired, or just reset) and a valid OTP token.
> 
>  
> 
> 1.    (Optional, but puts user into required state) Helpdesk agent uses
> FreeIPA API passwd method to issue a temporary password and pass it to 
> the user
> 2.    User uses ssh to login to 2FA host, which asks for temporary
> password.
> 3.    SSH forces user through reser password process and closes
> connection.
> 4.    User is now able to SSH with password + OTP poken
> 
>  
> 
> In this case step 2 fails. The reset password process looks like this:

How does your sshd PAM configuration looks like, e.g. /etc/pam.d/sshd (and 
included files).

bye,
Sumit

> 
>  
> 
> login as: username
> 
> Using keyboard-interactive authentication.
> 
> Password:
> 
> Access denied
> 
> Using keyboard-interactive authentication.
> 
> Password:
> 
> Using keyboard-interactive authentication.
> 
> Password expired. Change your password now. 
> 
> Current Password:
> 
> Access denied
> 
>  
> 
> The change password process fails.
> 
>  
> 
> However, if we disable or delete their OTP token (which requires 
> FreeIPA admin, not helpdesk role) they're able to reset their 
> password. We don't want to have to give admin rights to the helpdesk agent 
> for this.
> 
>  
> 
> This is also complicated by that the FreeIPA API changes behaviour:
> 
> *     With an expired/password user can not connect to the API, even to do
> passwd to reset password
> *     With an OTP token, users have to use passwordOTPCODE to access the
> API, which means they can't manage their otptoken if they've lost it 
> or want to disable it so they can reset their password because they 
> forgot it,  or delete it.
> 
>  
> 
> Is there a way of allowing users in the helpdesk group/role to be able 
> to disable/enable or delete OTP tokens? They don't need to see the 
> content, just allow users to restart the password and token request process.
> 
>  
> 
> Is there a fix for the above workflow to allow a user with an OTP 
> token to reset their password?
> 
>  
> 
> Regards,
> 
>  
> 
> Aaron Hicks
> 
>  
> 
> From: Aaron Hicks [mailto:aaron.hi...@nesi.org.nz]
> Sent: Tuesday, 21 November 2017 6:22 PM
> To: freeipa-users@lists.fedorahosted.org
> Subject: Expired passwords and generating an OTP token
> 
>  
> 
> Hello the list,
> 
>  
> 
> I think this is the last thing to make our terrible user management 
> model work.
> 
>  
> 
> With a helpdesk role via the REST API we can reset a users password, 
> which is expired, because this is the right thing to do.
> 
>  
> 
> These users are expected to log into a node with 2FA using an OTP 
> token generated by FreeIPA. This works if a user has a valid password and a 
> token.
> This is the only machine they have access to, as it's they lander 
> node. They can not reach the FreeIPA web interface. They can use the 
> FreeIPA API via our customer management system (CMS) either as them 
> self or as a helpdek agent on their behalf. The CMS auth is SAML via 
> federated shibboleth, so does not use our FreeIPA credentials.
> 
>  
> 
> However, we have few use cases we need to work: 
> 
>  
> 
> Can a user generate an OTP token when their password is expired?
> 
>  
> 
> Can a a user reset their password when they do not have an OTP token?
> 
>  
> 
> Can a user reset their password when they can't log in to get the 
> secret from thier OTP token?
> 
>  
> 
> I think the shortest routes would be:
> 
>  
> 
> - if a user could reset an expired password via the FreeIPA API, then 
> use the otptoken_add method to create one all via our CMS.
> 
>  
> 
> - if a user could reset thier password at the ssh login prompt if they 
> have no token or don't have thier token. Then add a token via our CMS.
> 
>  
> 
>  
> 
> Regards,
> 
>  
> 
> Aaron
> 
>  
> 
> Get Outlook for iOS <https://aka.ms/o0ukef>
> 

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to