On Mon, Mar 15, 2021 at 06:04:17PM +0000, David Harvey via FreeIPA-users wrote: > Hi list, > > I've been attempting to get optional 2FA working for my Debian derivatives > so I can run per-host OTP nicely for the more sensitive boxes. > So far: > A user with "password and otp" only allowed in the can login as expected > with the password and OTP concatenated. > A user with both "password" and "password and otp" allowed cannot use the > concatonated practice. Working as expected I think so far from my > readings... > > I've then been trying to follow the advice on this thread : > https://lists.fedoraproject.org/archives/list/[email protected]/thread/LWXF4LYZXULQOEGCNU4DLPXKMWNVX6EF/ > So that the pre-auth check can be made (the most relevant bit is the > example PAM script I've been shamelessly trying to force into action). > Applying their advice It gets me as far as throwing up the correct prompt > for 2FA users vs password only users, but on trying to auth either with or > without the OTP supplied I can't get in. I see the following errors in the > auth log: > > Mar 15 17:36:38 focal-test login[5183]: PAM (login) no control flag supplied > > Mar 15 17:36:38 focal-test login[5183]: PAM (login) no module name supplied > > Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return > value; [...try_first_pass] > > Mar 15 17:36:38 focal-test login[5183]: PAM unable to dlopen(sha512): > /lib/security/sha512: cannot open shared object file: No such file or > directory > > Mar 15 17:36:38 focal-test login[5183]: PAM adding faulty module: sha512 > > Mar 15 17:36:38 focal-test login[5183]: PAM (other) no control flag supplied > > Mar 15 17:36:38 focal-test login[5183]: PAM (other) no module name supplied > > Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return > value; [...try_first_pass] > > Mar 15 17:36:47 focal-test login[5183]: pam_sss(login:auth): authentication > success; logname=david uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=david > > Mar 15 17:36:49 focal-test login[5183]: FAILED LOGIN (1) on '/dev/pts/0' > FOR 'david', Permission denied
Hi, it looks like authentication worked but then access is denied. Can you share your PAM configuration for the login program? bye, Sumit > > I've been trying across a spread of ubuntu and Debian versions to try and > ensure I've entertained sufficiently new sssd and libkrb5 versions but am > pretty stumped. Most confusing is the sha512 errors when it's also included > in the default unix pam config. > Feel free to tell me to f@£$ off to the sssd lists! > > David > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
