Re: [Freeipa-users] key + 2FA (password+OTP) is not working

2016-09-23 Thread Alexander Bokovoy

On Fri, 23 Sep 2016, Deepak Dimri wrote:

Hi Alexander,


I  somehow manage to try it on fedora and it did work fine for me..


Now is there any way i can restrict the login to OTP only? and not password + 
OTP?

No, this is not supported. OTP value only is not secure enough (6 digits
by default, really low entropy).




Best Regards,

Deepak



From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working

On Fri, 23 Sep 2016, Deepak Dimri wrote:


Hi All,


I am trying hard to get my 2FA working with FreeIPA but every effort of
mine going waste! I have referred earlier forum emails but could not
find any good reply on the issue i am facing.


This is what i am trying


I have a test user created in my IPA server enabled with Two factor
authentication (password + OTP) and has ssh public key added in its
profile.  I want this test user to ssh into my ipa client (ubuntu
14.04) using  key + password + OTP. I woudl ceryainly prefer just the
key+  OTP only ( no password) but that seems far sighted as i cannot
even make it work with what it supposed to work password + OTP.

Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).

This would allow us to reduce problem space to the client side.


My /etc/ssh/sshd_conf file has almost everything default  except i
added these two lines at the end of it

Match Group testusergroup

  AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam

i also tried with below but no luck

Match Group testusergroup

AuthenticationMethods publickey,keyboard-interactive


my /etc/pam.d/sshd has these two changes, rest i kept default:


# Standard Un*x authentication.

#@include common-auth


auth required pam_sss.so


Now when i try to ssh into ipa client i either keep getting promptS for
the password or it gets into a loop asking me to change the password
;complaining falsely that it has expired. I have tried multiple
combinations of configurations by referring earlier email threads but
none i found helpful. I cant make simple 2FA login to work with
freeIPA. Normal password and key works just fine. its the 2FA which
does not work for me.


Would really be thankful if some one can help me with this issue.. is
there any good freeIPA 2FA configuration document that i can refer?

What should the steps for it work seamlessly?


Many Thanks,

Deepak




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users

Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users




Go to http://freeipa.org for more info on the project



--
/ Alexander Bokovoy


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] key + 2FA (password+OTP) is not working

2016-09-23 Thread Alexander Bokovoy

On Fri, 23 Sep 2016, Deepak Dimri wrote:

Hi Alexander,  I am using AWS to do a pilot on freeIPA & unfortunately
AWS does not provide fedora or centos as part of its freetier setup so
i have to live with ubuntu, redhat , suse etc.  I have same problem
with ubuntu and redhat though!

CentOS 7 is available and eligible for free tier:
https://aws.amazon.com/marketplace/pp/B00O7WM7QW



Just one basic question.. what are the steps i should be following to
make it work assuming i am trying on centos or fedora

Literally what you describe in your setup, except that 'passwod:pam'
seems to be broken in OpenSSH -- given that you are using PAM already
for password checks, removing :pam should just work. It works for me
with

Match Group twofa
  AllowGroups twofa
  AuthenticationMethods publickey,password publickey,keyboard-interactive

as the last statement in the sshd_config.

Sep 23 11:55:50 f24-master.ipa.ad.test sshd[2965]: debug3: 
monitor_child_preauth: method publickey: partial
...
Sep 23 11:56:07 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: 
sshpam_passwd_conv called with 2 messages
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: 
request received
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user 
query start
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user 
query end: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind 
start: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind 
end: success
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: 
response sent: Access-Accept
Sep 23 11:56:10 f24-master.ipa.ad.test audit[2965]: USER_AUTH pid=2965 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication 
grantors=pam_succeed_if,pam_sss acct="foobar" exe="/usr/sbin/sshd" 
hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: pam_sss(sshd:auth): 
authentication success; logname= uid=0 euid=0 tty=ssh ruser= 
rhost=192.168.5.136 user=foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: PAM: password 
authentication accepted for foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: 
mm_answer_authpassword: sending result 1
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send 
entering: type 13
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: auth2_update_methods_lists: 
updating methods list after "password"
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug2: authentication 
methods list 0 complete
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: 
mm_request_receive_expect entering: type 102
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_receive 
entering
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: do_pam_account: 
called
Sep 23 11:56:12 f24-master.ipa.ad.test audit[2965]: USER_ACCT pid=2965 uid=0 auid=4294967295 
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting 
grantors=pam_unix,pam_sss,pam_permit acct="foobar" exe="/usr/sbin/sshd" 
hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: do_pam_account 
pam_acct_mgmt = 0 (Success)
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send 
entering: type 103
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: Accepted password for foobar 
from 192.168.5.136 port 33466 ssh2
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug1: 
monitor_child_preauth: foobar has been authenticated by privileged process

The first line above says that publickey method was successful but not
enough to allow login (partial) because password is also required. The
client got a request to enter password+OTP value. As you can see the user is 
only
allowed to login with an OTP token.

$ ssh foobar@192.168.5.117
foobar@192.168.5.117's password: 
Last login: Fri Sep 23 11:49:17 2016

-sh-4.3$ id
uid=903200044(foobar) gid=903200044(foobar) 
groups=903200044(foobar),903200046(twofa) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.3$ klist
Ticket cache: KEYRING:persistent:903200044:krb_ccache_Dk553LV
Default principal: foo...@ipa.ad.test

Valid starting   Expires  Service principal
09/23/2016 11:56:08  09/24/2016 11:56:08  krbtgt/ipa.ad.t...@ipa.ad.test

-sh-4.3$ ipa user-show foobar
 User login: foobar
 First name: Test
 Last name: Foo
 Home directory: /home/foobar
 Login shell: /bin/sh
 Principal name: foo...@ipa.ad.test
 Principal alias: foo...@ipa.ad.test
 Email address: foo...@ipa.ad.test
 UID: 903200044
 GID: 903200044
 User authentication types: otp
 Account disabled: False
 Password: True
 Member of groups: twofa, ipausers
 

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

2016-09-23 Thread Deepak Dimri
Hi Alexander,


I  somehow manage to try it on fedora and it did work fine for me..


Now is there any way i can restrict the login to OTP only? and not password + 
OTP?


Best Regards,

Deepak



From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working

On Fri, 23 Sep 2016, Deepak Dimri wrote:
>
>Hi All,
>
>
>I am trying hard to get my 2FA working with FreeIPA but every effort of
>mine going waste! I have referred earlier forum emails but could not
>find any good reply on the issue i am facing.
>
>
>This is what i am trying
>
>
>I have a test user created in my IPA server enabled with Two factor
>authentication (password + OTP) and has ssh public key added in its
>profile.  I want this test user to ssh into my ipa client (ubuntu
>14.04) using  key + password + OTP. I woudl ceryainly prefer just the
>key+  OTP only ( no password) but that seems far sighted as i cannot
>even make it work with what it supposed to work password + OTP.
Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).

This would allow us to reduce problem space to the client side.

>My /etc/ssh/sshd_conf file has almost everything default  except i
>added these two lines at the end of it
>
>Match Group testusergroup
>
>   AuthenticationMethods publickey,password:pam 
> publickey,keyboard-interactive:pam
>
>i also tried with below but no luck
>
>Match Group testusergroup
>
> AuthenticationMethods publickey,keyboard-interactive
>
>
>my /etc/pam.d/sshd has these two changes, rest i kept default:
>
>
># Standard Un*x authentication.
>
>#@include common-auth
>
>
>auth required pam_sss.so
>
>
>Now when i try to ssh into ipa client i either keep getting promptS for
>the password or it gets into a loop asking me to change the password
>;complaining falsely that it has expired. I have tried multiple
>combinations of configurations by referring earlier email threads but
>none i found helpful. I cant make simple 2FA login to work with
>freeIPA. Normal password and key works just fine. its the 2FA which
>does not work for me.
>
>
>Would really be thankful if some one can help me with this issue.. is
>there any good freeIPA 2FA configuration document that i can refer?
>
>What should the steps for it work seamlessly?
>
>
>Many Thanks,
>
>Deepak
>

>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



>Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

2016-09-23 Thread Deepak Dimri
Hi Alexander,  I am using AWS to do a pilot on freeIPA & unfortunately AWS does 
not provide fedora or centos as part of its freetier setup so i have to live 
with ubuntu, redhat , suse etc.  I have same problem with ubuntu and redhat 
though!


Just one basic question.. what are the steps i should be following to make it 
work assuming i am trying on centos or fedora


regards,

Deepak






From: Alexander Bokovoy <aboko...@redhat.com>
Sent: Friday, September 23, 2016 3:25 AM
To: Deepak Dimri
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working

On Fri, 23 Sep 2016, Deepak Dimri wrote:
>
>Hi All,
>
>
>I am trying hard to get my 2FA working with FreeIPA but every effort of
>mine going waste! I have referred earlier forum emails but could not
>find any good reply on the issue i am facing.
>
>
>This is what i am trying
>
>
>I have a test user created in my IPA server enabled with Two factor
>authentication (password + OTP) and has ssh public key added in its
>profile.  I want this test user to ssh into my ipa client (ubuntu
>14.04) using  key + password + OTP. I woudl ceryainly prefer just the
>key+  OTP only ( no password) but that seems far sighted as i cannot
>even make it work with what it supposed to work password + OTP.
Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the
platforms where we know it works for sure (for me, at least).

This would allow us to reduce problem space to the client side.

>My /etc/ssh/sshd_conf file has almost everything default  except i
>added these two lines at the end of it
>
>Match Group testusergroup
>
>   AuthenticationMethods publickey,password:pam 
> publickey,keyboard-interactive:pam
>
>i also tried with below but no luck
>
>Match Group testusergroup
>
> AuthenticationMethods publickey,keyboard-interactive
>
>
>my /etc/pam.d/sshd has these two changes, rest i kept default:
>
>
># Standard Un*x authentication.
>
>#@include common-auth
>
>
>auth required pam_sss.so
>
>
>Now when i try to ssh into ipa client i either keep getting promptS for
>the password or it gets into a loop asking me to change the password
>;complaining falsely that it has expired. I have tried multiple
>combinations of configurations by referring earlier email threads but
>none i found helpful. I cant make simple 2FA login to work with
>freeIPA. Normal password and key works just fine. its the 2FA which
>does not work for me.
>
>
>Would really be thankful if some one can help me with this issue.. is
>there any good freeIPA 2FA configuration document that i can refer?
>
>What should the steps for it work seamlessly?
>
>
>Many Thanks,
>
>Deepak
>

>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
Freeipa-users Info Page - Red 
Hat<https://www.redhat.com/mailman/listinfo/freeipa-users>
www.redhat.com
Freeipa-users -- List dedicated to discussions about use, configuration and 
deployment of the IPA server. About Freeipa-users



>Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

2016-09-23 Thread Deepak Dimri

Hi All,


I am trying hard to get my 2FA working with FreeIPA but every effort of mine 
going waste! I have referred earlier forum emails but could not find any good 
reply on the issue i am facing.


This is what i am trying


I have a test user created in my IPA server enabled with Two factor 
authentication (password + OTP) and has ssh public key added in its profile.  I 
want this test user to ssh into my ipa client (ubuntu 14.04) using  key + 
password + OTP. I woudl ceryainly prefer just the key+  OTP only ( no password) 
but that seems far sighted as i cannot even make it work with what it supposed 
to work password + OTP.


My /etc/ssh/sshd_conf file has almost everything default  except i added these 
two lines at the end of it

Match Group testusergroup

   AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam

i also tried with below but no luck

Match Group testusergroup

 AuthenticationMethods publickey,keyboard-interactive


my /etc/pam.d/sshd has these two changes, rest i kept default:


# Standard Un*x authentication.

#@include common-auth


auth required pam_sss.so


Now when i try to ssh into ipa client i either keep getting promptS for the 
password or it gets into a loop asking me to change the password ;complaining 
falsely that it has expired. I have tried multiple combinations of 
configurations by referring earlier email threads but none i found helpful. I 
cant make simple 2FA login to work with freeIPA. Normal password and key works 
just fine. its the 2FA which does not work for me.


Would really be thankful if some one can help me with this issue.. is there any 
good freeIPA 2FA configuration document that i can refer?

What should the steps for it work seamlessly?


Many Thanks,

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] key + 2FA (password+OTP) is not working

2016-09-22 Thread Sumit Bose
On Thu, Sep 22, 2016 at 08:17:21AM +, Deepak Dimri wrote:
> Hi All,
> 
> 
> I am trying hard to get my 2FA working with FreeIPA but every effort of mine 
> going waste! I have referred earlier forum emails but could not find any good 
> reply on the issue i am facing.
> 
> 
> This is what i am trying
> 
> 
> I have a test user created in my IPA server enabled with Two factor 
> authentication (password + OTP) and has ssh public key added in its profile.  
> I want this test user to ssh into my ipa client (ubuntu 14.04) using  key + 
> password + OTP. I woudl ceryainly prefer just the key+  OTP only ( no 
> password) but that seems far sighted as i cannot even make it work with what 
> it supposed to work password + OTP.
> 
> 
> My /etc/ssh/sshd_conf file has almost everything default  except i added 
> these two lines at the end of it
> 
> Match Group testusergroup
> 
>AuthenticationMethods publickey,password:pam 
> publickey,keyboard-interactive:pam
> 
> i also tried with below but no luck
> 
> Match Group testusergroup
> 
>  AuthenticationMethods publickey,keyboard-interactive
> 
> 
> my /etc/pam.d/sshd has these two changes, rest i kept default:
> 
> 
> # Standard Un*x authentication.
> 
> #@include common-auth
> 
> 
> auth required pam_sss.so
> 
> 
> Now when i try to ssh into ipa client i either keep getting promptS for the 
> password or it gets into a loop asking me to change the password ;complaining 
> falsely that it has expired. I have tried multiple combinations of 
> configurations by referring earlier email threads but none i found helpful. I 
> cant make simple 2FA login to work with freeIPA. Normal password and key 
> works just fine. its the 2FA which does not work for me.
> 
> 
> Would really be thankful if some one can help me with this issue.. is there 
> any good freeIPA 2FA configuration document that i can refer?

Please add debug_level=10 to the [pam] and [domain/...] section of
sssd.conf, restart SSSD, re-run the authentication and send the
generated debug logs together with your sssd.conf and the full
/etc/pam.d/sshd. Please see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details.

> 
> What should the steps for it work seamlessly?

In general it should work out of the box with SSSD's ipa provider.

bye,
Sumit

> 
> 
> Many Thanks,
> 
> Deepak
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] key + 2FA (password+OTP) is not working

2016-09-22 Thread Deepak Dimri
Hi All,


I am trying hard to get my 2FA working with FreeIPA but every effort of mine 
going waste! I have referred earlier forum emails but could not find any good 
reply on the issue i am facing.


This is what i am trying


I have a test user created in my IPA server enabled with Two factor 
authentication (password + OTP) and has ssh public key added in its profile.  I 
want this test user to ssh into my ipa client (ubuntu 14.04) using  key + 
password + OTP. I woudl ceryainly prefer just the key+  OTP only ( no password) 
but that seems far sighted as i cannot even make it work with what it supposed 
to work password + OTP.


My /etc/ssh/sshd_conf file has almost everything default  except i added these 
two lines at the end of it

Match Group testusergroup

   AuthenticationMethods publickey,password:pam 
publickey,keyboard-interactive:pam

i also tried with below but no luck

Match Group testusergroup

 AuthenticationMethods publickey,keyboard-interactive


my /etc/pam.d/sshd has these two changes, rest i kept default:


# Standard Un*x authentication.

#@include common-auth


auth required pam_sss.so


Now when i try to ssh into ipa client i either keep getting promptS for the 
password or it gets into a loop asking me to change the password ;complaining 
falsely that it has expired. I have tried multiple combinations of 
configurations by referring earlier email threads but none i found helpful. I 
cant make simple 2FA login to work with freeIPA. Normal password and key works 
just fine. its the 2FA which does not work for me.


Would really be thankful if some one can help me with this issue.. is there any 
good freeIPA 2FA configuration document that i can refer?

What should the steps for it work seamlessly?


Many Thanks,

Deepak

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project