Re: patch files for pam_radius - adding an 'Always Prompt' option for?one-time passcodes
Nick Owen wrote: > > We recently had a customer that wanted to check a password against AD > via kerberos and then an one-time passcode against a WiKID Strong > Authentication server via radius. We found that PAM passed the AD > password to our OTP server, which failed. We have added a pam option > "always prompt" in the attached code. This will force a "WiKID > passcode:" prompt regardless of any previous password entry. This can > be changed, of course. > Better to lead with the OTP as then you fend off brute force and dictionary attacks. Cheers -- Alexander Clouter .sigmonster says: If you had any brains, you'd be dangerous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
Greetings:
We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius. We found that PAM passed the AD
password to our OTP server, which failed. We have added a pam option
"always prompt" in the attached code. This will force a "WiKID
passcode:" prompt regardless of any previous password entry. This can
be changed, of course.
The /etc/pam.d/sshd file looks like:
Here's the /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
auth requisite /lib/security/pam_radius_auth.so always_prompt
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
No changes to system-auth were made. The /etc/ssh/sshd_config looks like:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
The key change is that ChallengeResponseAuthentication is yes.
Hopefully, others will find this of use.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
124a125,128
> } else if (!strcmp(*argv, "always_prompt")) {
> ctrl |= PAM_ALWAYS_PROMPT;
> DPRINT(LOG_DEBUG, "DEBUG: Got always_prompt option");
>
1134,1136c1138,1149
< /* grab the password (if any) from the previous authentication layer */
< retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
< PAM_FAIL_CHECK;
---
> /* if always_propmpt is specified grab the passcode from the user */
> if ((ctrl & PAM_ALWAYS_PROMPT)) {
> DPRINT(LOG_DEBUG, "Should prompt for the passcode now...");
> retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password);
> password = strdup(password);
> DPRINT(LOG_DEBUG, "Got passcode %s", password);
> PAM_FAIL_CHECK;
> } else {
> /* grab the password (if any) from the previous authentication layer */
> retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
> PAM_FAIL_CHECK;
> }
1149c1162
<
---
>
1154d1166
<
124a125,127
> } else if (!strcmp(*argv, "always_prompt")) {
> ctrl |= PAM_ALWAYS_PROMPT;
>
1134,1136c1137,1146
< /* grab the password (if any) from the previous authentication layer */
< retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
< PAM_FAIL_CHECK;
---
> /* if always_propmpt is specified grab the passcode from the user */
> if ((ctrl & PAM_ALWAYS_PROMPT)) {
> retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password);
> password = strdup(password);
> PAM_FAIL_CHECK;
> } else {
> /* grab the password (if any) from the previous authentication layer */
> retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
> PAM_FAIL_CHECK;
> }
1149c1159
<
---
>
1154d1163
<
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius. We found that PAM passed the AD
password to our OTP server, which failed. We have added a pam option
"always prompt" in the attached code. This will force a "WiKID
passcode:" prompt regardless of any previous password entry.
The /etc/pam.d/sshd file looks like:
Here's the /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
auth requisite /lib/security/pam_radius_auth.so always_prompt
accountrequired pam_nologin.so
accountinclude system-auth
password include system-auth
sessionoptional pam_keyinit.so force revoke
sessioninclude system-auth
sessionrequired pam_loginuid.so
No changes to system-auth were made. The /etc/ssh/sshd_config looks like:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem sftp/usr/libexec/openssh/sftp-server
The key change is that ChallengeResponseAuthentication is yes.
Hopefully, others will find this of use.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
124a125,128
> } else if (!strcmp(*argv, "always_prompt")) {
> ctrl |= PAM_ALWAYS_PROMPT;
> DPRINT(LOG_DEBUG, "DEBUG: Got always_prompt option");
>
1134,1136c1138,1149
< /* grab the password (if any) from the previous authentication layer */
< retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
< PAM_FAIL_CHECK;
---
> /* if always_propmpt is specified grab the passcode from the user */
> if ((ctrl & PAM_ALWAYS_PROMPT)) {
> DPRINT(LOG_DEBUG, "Should prompt for the passcode now...");
> retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password);
> password = strdup(password);
> DPRINT(LOG_DEBUG, "Got passcode %s", password);
> PAM_FAIL_CHECK;
> } else {
> /* grab the password (if any) from the previous authentication layer */
> retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
> PAM_FAIL_CHECK;
> }
1149c1162
<
---
>
1154d1166
<
124a125,127
> } else if (!strcmp(*argv, "always_prompt")) {
> ctrl |= PAM_ALWAYS_PROMPT;
>
1134,1136c1137,1146
< /* grab the password (if any) from the previous authentication layer */
< retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
< PAM_FAIL_CHECK;
---
> /* if always_propmpt is specified grab the passcode from the user */
> if ((ctrl & PAM_ALWAYS_PROMPT)) {
> retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "WiKID Passcode: ", &password);
> password = strdup(password);
> PAM_FAIL_CHECK;
> } else {
> /* grab the password (if any) from the previous authentication layer */
> retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
> PAM_FAIL_CHECK;
> }
1149c1159
<
---
>
1154d1163
<
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
