Thanks for the swift response Sumit, It prompted some more testing - disabling unix auth and leaving only sss active (from /usr/share/pam-configs) behaved, and I worked through the differences of what they were pulling in vs the link I had been following. In the end it was an embarrassing format fail :facpalm. So tips for anyone attempting this. Use the attachment, not the pasted version - because formatting really matters (who'd have thought). And also, enabling challenge response auth in sshd_config is required if you want to get that second factor auth prompt working there too!
On Tue, 16 Mar 2021 at 06:35, Sumit Bose via FreeIPA-users < [email protected]> wrote: > On Mon, Mar 15, 2021 at 06:04:17PM +0000, David Harvey via FreeIPA-users > wrote: > > Hi list, > > > > I've been attempting to get optional 2FA working for my Debian > derivatives > > so I can run per-host OTP nicely for the more sensitive boxes. > > So far: > > A user with "password and otp" only allowed in the can login as expected > > with the password and OTP concatenated. > > A user with both "password" and "password and otp" allowed cannot use the > > concatonated practice. Working as expected I think so far from my > > readings... > > > > I've then been trying to follow the advice on this thread : > > > https://lists.fedoraproject.org/archives/list/[email protected]/thread/LWXF4LYZXULQOEGCNU4DLPXKMWNVX6EF/ > > So that the pre-auth check can be made (the most relevant bit is the > > example PAM script I've been shamelessly trying to force into action). > > Applying their advice It gets me as far as throwing up the correct prompt > > for 2FA users vs password only users, but on trying to auth either with > or > > without the OTP supplied I can't get in. I see the following errors in > the > > auth log: > > > > Mar 15 17:36:38 focal-test login[5183]: PAM (login) no control flag > supplied > > > > Mar 15 17:36:38 focal-test login[5183]: PAM (login) no module name > supplied > > > > Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return > > value; [...try_first_pass] > > > > Mar 15 17:36:38 focal-test login[5183]: PAM unable to dlopen(sha512): > > /lib/security/sha512: cannot open shared object file: No such file or > > directory > > > > Mar 15 17:36:38 focal-test login[5183]: PAM adding faulty module: sha512 > > > > Mar 15 17:36:38 focal-test login[5183]: PAM (other) no control flag > supplied > > > > Mar 15 17:36:38 focal-test login[5183]: PAM (other) no module name > supplied > > > > Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return > > value; [...try_first_pass] > > > > Mar 15 17:36:47 focal-test login[5183]: pam_sss(login:auth): > authentication > > success; logname=david uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= > user=david > > > > Mar 15 17:36:49 focal-test login[5183]: FAILED LOGIN (1) on '/dev/pts/0' > > FOR 'david', Permission denied > > Hi, > > it looks like authentication worked but then access is denied. Can you > share your PAM configuration for the login program? > > bye, > Sumit > > > > > I've been trying across a spread of ubuntu and Debian versions to try and > > ensure I've entertained sufficiently new sssd and libkrb5 versions but am > > pretty stumped. Most confusing is the sha512 errors when it's also > included > > in the default unix pam config. > > Feel free to tell me to f@£$ off to the sssd lists! > > > > David > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
