Hello everybody,
I tried the bellow configuration, but I can still only authorize with
pass+otp.
I assume pam_unix.so only works for local users? I only have sssd
freeipa users. Is there a way to tell pam_sss.so to only use the
password if --user-auth-type=otp is set?
/etc/pam.d/common-auth
auth [success=2 default=ignore] pam_succeed_if.so service in
mate-screensaver:lightdm:xrdp-sesman
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid
>= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
Mar 29 13:19:01 workstation01 mate-screensaver-dialog:
pam_succeed_if(mate-screensaver:auth): requirement "service in
mate-screensaver:lightdm:xrdp-sesman" was met by user "jdejong"
Mar 29 13:19:49 workstation01 mate-screensaver-dialog:
pam_unix(mate-screensaver:auth): authentication failure; logname=
uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong
Mar 29 13:19:50 workstation01 mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): authentication success; logname=
uid=350600026 euid=350600026 tty=:10.0 ruser= rhost= user=jdejong
Kind regards,
Jelle de Jong
On 26/03/2019 18:04, Charles Hedrick via FreeIPA-users wrote:
Basically if you put pam_unix before pam_sss, you’ll get a single prompt, and
things like RDP will work with OTP.
Here’s the default in password-auth and system-auth for Centos 7
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000
quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
This causes local users and users with UID < 1000 to use Unix, otherwise go
directly to sss.
You can add another line to test for specific services, and force pam_unix,
i.e. a single prompt, e.g.
auth [success=2 default=ignore] pam_succeed_if.so service in
lightdm:xrdp-sesman.
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000
quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
The one that gets messy is x2go, because it uses ssh, and can’t be detected by
a service test.
On Mar 19, 2019, at 2:16 PM, Jelle de Jong via FreeIPA-users
<[email protected]> wrote:
Hello everybody,
Thank you all for replying.
On 18/03/2019 20:44, Jakub Hrozek wrote:
On Mon, Mar 18, 2019 at 06:14:16PM +0200, Alexander Bokovoy wrote:
On ma, 18 maalis 2019, Jelle de Jong via FreeIPA-users wrote:
Hello everybody,
I am looking for a way to have different authentication policy for a
freeia-client logout and screenlock on linux workstations.
When a user logs in I want to use my password+otp (this is working)!
When a user locks it screen I want to be able unlock it with only the
password.
When a user logs out and back in then it needs to use the password+otp
again.
I am aware of the security implications for this.
How can I configure this policy?
I don't think there is a way to deploy such policy through SSSD at all.
Jakub, do you have an idea how to make that possible?
Currently I can't think of anything clean either. Is the lock screen and the
login manager the same PAM service? If they are different, maybe some
hack like letting pam_unix to always read the password and then just
pass it on to pam_sss would work..
But I know Sumit is working on improving the 2FA prompting lately, so
maybe this will be improved in the upcoming release.
I seem to have mate-screensaver, lightdm and xrdp-sesman.
Will that be enough to hook a custom pam rule together for mate-screensaver?
If not is it possible to disable OTP for all the destkop systems in sssd.conf?
and have it still working for all other systems with --user-auth-type=otp as
only enabled option in freeipa?
Also for laptop systems in offline
disable_preauth
forward_pass
Mar 19 18:54:50 workstation01 mate-screensaver-dialog:
pam_unix(mate-screensaver:auth): authentication failure; logname= uid=350600021
euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:54:51 workstation01 mate-screensaver-dialog:
pam_sss(mate-screensaver:auth): authentication success; logname= uid=350600021
euid=350600021 tty=:10.0 ruser= rhost= user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_unix(xrdp-sesman:auth):
authentication failure; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost=
user=jdejong
Mar 19 18:56:48 workstation01 xrdp-sesman[788]: pam_sss(xrdp-sesman:auth):
authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost=
user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_unix(lightdm:auth): authentication
failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
Mar 19 19:01:01 workstation01 lightdm: pam_sss(lightdm:auth): authentication
success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=jdejong
cat /etc/pam.d/mate-screensaver
@include common-auth
auth optional pam_gnome_keyring.so
cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_sss.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
# end of pam-auth-update config
sssd 1.16.1-1ubuntu1.1
root@workstation01:~# ls -hal /etc/pam.d/
total 136K
drwxr-xr-x 2 root root 4,0K Mar 15 11:35 .
drwxr-xr-x 161 root root 12K Mar 19 18:22 ..
-rw-r--r-- 1 root root 384 Jan 25 2018 chfn
-rw-r--r-- 1 root root 92 Jan 25 2018 chpasswd
-rw-r--r-- 1 root root 581 Jan 25 2018 chsh
-rw-r--r-- 1 root root 1,3K Mar 11 16:11 common-account
-rw-r--r-- 1 root root 1,4K Mar 11 16:11 common-auth
-rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-password
-rw-r--r-- 1 root root 1,6K Mar 11 16:11 common-session
-rw-r--r-- 1 root root 1,5K Mar 11 16:11 common-session-noninteractive
-rw-r--r-- 1 root root 606 Nov 16 2017 cron
-rw-r--r-- 1 root root 69 Mar 27 2018 cups
-rw-r--r-- 1 root root 884 Mar 22 2018 lightdm
-rw-r--r-- 1 root root 551 Mar 22 2018 lightdm-autologin
-rw-r--r-- 1 root root 727 Mar 22 2018 lightdm-greeter
-rw-r--r-- 1 root root 4,9K Jan 25 2018 login
-rw-r--r-- 1 root root 57 Dec 11 2014 mate-screensaver
-rw-r--r-- 1 root root 92 Jan 25 2018 newusers
-rw-r--r-- 1 root root 520 Apr 4 2018 other
-rw-r--r-- 1 root root 92 Jan 25 2018 passwd
-rw-r--r-- 1 root root 270 Jul 13 2018 polkit-1
-rw-r--r-- 1 root root 168 Feb 26 2018 ppp
-rw-r--r-- 1 root root 143 Feb 14 2018 runuser
-rw-r--r-- 1 root root 138 Feb 14 2018 runuser-l
-rw-r--r-- 1 root root 84 Nov 8 19:09 samba
-rw-r--r-- 1 root root 2,1K Mar 4 13:17 sshd
-rw-r--r-- 1 root root 214 Jan 16 16:58 sssd-shadowutils
-rw-r--r-- 1 root root 2,3K Jan 25 2018 su
-rw-r--r-- 1 root root 239 Jan 18 2018 sudo
-rw-r--r-- 1 root root 317 Apr 20 2018 systemd-user
-rw-r--r-- 1 root root 104 Feb 16 2018 xrdp-sesman
Thank you in advance!
Kind regards,
Jelle de Jong
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
