Re: patch files for pam_radius - adding an 'Always Prompt' option for?one-time passcodes
Nick Owen wrote: > > We recently had a customer that wanted to check a password against AD > via kerberos and then an one-time passcode against a WiKID Strong > Authentication server via radius. We found that PAM passed the AD > password to our OTP server, which failed. We have added a pam option > "always prompt" in the attached code. This will force a "WiKID > passcode:" prompt regardless of any previous password entry. This can > be changed, of course. > Better to lead with the OTP as then you fend off brute force and dictionary attacks. Cheers -- Alexander Clouter .sigmonster says: If you had any brains, you'd be dangerous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
Greetings: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option "always prompt" in the attached code. This will force a "WiKID passcode:" prompt regardless of any previous password entry. This can be changed, of course. The /etc/pam.d/sshd file looks like: Here's the /etc/pam.d/sshd: #%PAM-1.0 auth required /lib/security/pam_krb5.so auth requisite /lib/security/pam_radius_auth.so always_prompt account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so No changes to system-auth were made. The /etc/ssh/sshd_config looks like: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UseDNS no Subsystem sftp /usr/libexec/openssh/sftp-server The key change is that ChallengeResponseAuthentication is yes. Hopefully, others will find this of use. Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication 124a125,128 > } else if (!strcmp(*argv, "always_prompt")) { > ctrl |= PAM_ALWAYS_PROMPT; > DPRINT(LOG_DEBUG, "DEBUG: Got always_prompt option"); > 1134,1136c1138,1149 < /* grab the password (if any) from the previous authentication layer */ < retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); < PAM_FAIL_CHECK; --- > /* if always_propmpt is specified grab the passcode from the user */ > if ((ctrl & PAM_ALWAYS_PROMPT)) { > DPRINT(LOG_DEBUG, "Should prompt for the passcode now..."); > retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password); > password = strdup(password); > DPRINT(LOG_DEBUG, "Got passcode %s", password); > PAM_FAIL_CHECK; > } else { > /* grab the password (if any) from the previous authentication layer */ > retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); > PAM_FAIL_CHECK; > } 1149c1162 < --- > 1154d1166 < 124a125,127 > } else if (!strcmp(*argv, "always_prompt")) { > ctrl |= PAM_ALWAYS_PROMPT; > 1134,1136c1137,1146 < /* grab the password (if any) from the previous authentication layer */ < retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); < PAM_FAIL_CHECK; --- > /* if always_propmpt is specified grab the passcode from the user */ > if ((ctrl & PAM_ALWAYS_PROMPT)) { > retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password); > password = strdup(password); > PAM_FAIL_CHECK; > } else { > /* grab the password (if any) from the previous authentication layer */ > retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); > PAM_FAIL_CHECK; > } 1149c1159 < --- > 1154d1163 < - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option "always prompt" in the attached code. This will force a "WiKID passcode:" prompt regardless of any previous password entry. The /etc/pam.d/sshd file looks like: Here's the /etc/pam.d/sshd: #%PAM-1.0 auth required /lib/security/pam_krb5.so auth requisite /lib/security/pam_radius_auth.so always_prompt accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so No changes to system-auth were made. The /etc/ssh/sshd_config looks like: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UseDNS no Subsystem sftp/usr/libexec/openssh/sftp-server The key change is that ChallengeResponseAuthentication is yes. Hopefully, others will find this of use. Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication 124a125,128 > } else if (!strcmp(*argv, "always_prompt")) { > ctrl |= PAM_ALWAYS_PROMPT; > DPRINT(LOG_DEBUG, "DEBUG: Got always_prompt option"); > 1134,1136c1138,1149 < /* grab the password (if any) from the previous authentication layer */ < retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); < PAM_FAIL_CHECK; --- > /* if always_propmpt is specified grab the passcode from the user */ > if ((ctrl & PAM_ALWAYS_PROMPT)) { > DPRINT(LOG_DEBUG, "Should prompt for the passcode now..."); > retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password); > password = strdup(password); > DPRINT(LOG_DEBUG, "Got passcode %s", password); > PAM_FAIL_CHECK; > } else { > /* grab the password (if any) from the previous authentication layer */ > retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); > PAM_FAIL_CHECK; > } 1149c1162 < --- > 1154d1166 < 124a125,127 > } else if (!strcmp(*argv, "always_prompt")) { > ctrl |= PAM_ALWAYS_PROMPT; > 1134,1136c1137,1146 < /* grab the password (if any) from the previous authentication layer */ < retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); < PAM_FAIL_CHECK; --- > /* if always_propmpt is specified grab the passcode from the user */ > if ((ctrl & PAM_ALWAYS_PROMPT)) { > retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password); > password = strdup(password); > PAM_FAIL_CHECK; > } else { > /* grab the password (if any) from the previous authentication layer */ > retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); > PAM_FAIL_CHECK; > } 1149c1159 < --- > 1154d1163 < - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html