Re: [Freeipa-users] key + 2FA (password+OTP) is not working
On Fri, 23 Sep 2016, Deepak Dimri wrote: Hi Alexander, I somehow manage to try it on fedora and it did work fine for me.. Now is there any way i can restrict the login to OTP only? and not password + OTP? No, this is not supported. OTP value only is not secure enough (6 digits by default, really low entropy). Best Regards, Deepak From: Alexander Bokovoy Sent: Friday, September 23, 2016 3:25 AM To: Deepak Dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working On Fri, 23 Sep 2016, Deepak Dimri wrote: Hi All, I am trying hard to get my 2FA working with FreeIPA but every effort of mine going waste! I have referred earlier forum emails but could not find any good reply on the issue i am facing. This is what i am trying I have a test user created in my IPA server enabled with Two factor authentication (password + OTP) and has ssh public key added in its profile. I want this test user to ssh into my ipa client (ubuntu 14.04) using key + password + OTP. I woudl ceryainly prefer just the key+ OTP only ( no password) but that seems far sighted as i cannot even make it work with what it supposed to work password + OTP. Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the platforms where we know it works for sure (for me, at least). This would allow us to reduce problem space to the client side. My /etc/ssh/sshd_conf file has almost everything default except i added these two lines at the end of it Match Group testusergroup AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam i also tried with below but no luck Match Group testusergroup AuthenticationMethods publickey,keyboard-interactive my /etc/pam.d/sshd has these two changes, rest i kept default: # Standard Un*x authentication. #@include common-auth auth required pam_sss.so Now when i try to ssh into ipa client i either keep getting promptS for the password or it gets into a loop asking me to change the password ;complaining falsely that it has expired. I have tried multiple combinations of configurations by referring earlier email threads but none i found helpful. I cant make simple 2FA login to work with freeIPA. Normal password and key works just fine. its the 2FA which does not work for me. Would really be thankful if some one can help me with this issue.. is there any good freeIPA 2FA configuration document that i can refer? What should the steps for it work seamlessly? Many Thanks, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Freeipa-users Info Page - Red Hat<https://www.redhat.com/mailman/listinfo/freeipa-users> www.redhat.com Freeipa-users -- List dedicated to discussions about use, configuration and deployment of the IPA server. About Freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] key + 2FA (password+OTP) is not working
On Fri, 23 Sep 2016, Deepak Dimri wrote: Hi Alexander, I am using AWS to do a pilot on freeIPA & unfortunately AWS does not provide fedora or centos as part of its freetier setup so i have to live with ubuntu, redhat , suse etc. I have same problem with ubuntu and redhat though! CentOS 7 is available and eligible for free tier: https://aws.amazon.com/marketplace/pp/B00O7WM7QW Just one basic question.. what are the steps i should be following to make it work assuming i am trying on centos or fedora Literally what you describe in your setup, except that 'passwod:pam' seems to be broken in OpenSSH -- given that you are using PAM already for password checks, removing :pam should just work. It works for me with Match Group twofa AllowGroups twofa AuthenticationMethods publickey,password publickey,keyboard-interactive as the last statement in the sshd_config. Sep 23 11:55:50 f24-master.ipa.ad.test sshd[2965]: debug3: monitor_child_preauth: method publickey: partial ... Sep 23 11:56:07 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: sshpam_passwd_conv called with 2 messages Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: request received Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user query start Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: user query end: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind start: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: bind end: success Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foo...@ipa.ad.test: response sent: Access-Accept Sep 23 11:56:10 f24-master.ipa.ad.test audit[2965]: USER_AUTH pid=2965 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="foobar" exe="/usr/sbin/sshd" hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success' Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.136 user=foobar Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: PAM: password authentication accepted for foobar Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_answer_authpassword: sending result 1 Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send entering: type 13 Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: auth2_update_methods_lists: updating methods list after "password" Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug2: authentication methods list 0 complete Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_receive_expect entering: type 102 Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_receive entering Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: do_pam_account: called Sep 23 11:56:12 f24-master.ipa.ad.test audit[2965]: USER_ACCT pid=2965 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="foobar" exe="/usr/sbin/sshd" hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success' Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success) Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send entering: type 103 Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: Accepted password for foobar from 192.168.5.136 port 33466 ssh2 Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug1: monitor_child_preauth: foobar has been authenticated by privileged process The first line above says that publickey method was successful but not enough to allow login (partial) because password is also required. The client got a request to enter password+OTP value. As you can see the user is only allowed to login with an OTP token. $ ssh foobar@192.168.5.117 foobar@192.168.5.117's password: Last login: Fri Sep 23 11:49:17 2016 -sh-4.3$ id uid=903200044(foobar) gid=903200044(foobar) groups=903200044(foobar),903200046(twofa) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -sh-4.3$ klist Ticket cache: KEYRING:persistent:903200044:krb_ccache_Dk553LV Default principal: foo...@ipa.ad.test Valid starting Expires Service principal 09/23/2016 11:56:08 09/24/2016 11:56:08 krbtgt/ipa.ad.t...@ipa.ad.test -sh-4.3$ ipa user-show foobar User login: foobar First name: Test Last name: Foo Home directory: /home/foobar Login shell: /bin/sh Principal name: foo...@ipa.ad.test Principal alias: foo...@ipa.ad.test Email address: foo...@ipa.ad.test UID: 903200044 GID: 903200044 User authentication types: otp Account disabled: False Password: True Member of groups: twofa, ipausers Kerb
Re: [Freeipa-users] key + 2FA (password+OTP) is not working
Hi Alexander, I somehow manage to try it on fedora and it did work fine for me.. Now is there any way i can restrict the login to OTP only? and not password + OTP? Best Regards, Deepak From: Alexander Bokovoy Sent: Friday, September 23, 2016 3:25 AM To: Deepak Dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working On Fri, 23 Sep 2016, Deepak Dimri wrote: > >Hi All, > > >I am trying hard to get my 2FA working with FreeIPA but every effort of >mine going waste! I have referred earlier forum emails but could not >find any good reply on the issue i am facing. > > >This is what i am trying > > >I have a test user created in my IPA server enabled with Two factor >authentication (password + OTP) and has ssh public key added in its >profile. I want this test user to ssh into my ipa client (ubuntu >14.04) using key + password + OTP. I woudl ceryainly prefer just the >key+ OTP only ( no password) but that seems far sighted as i cannot >even make it work with what it supposed to work password + OTP. Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the platforms where we know it works for sure (for me, at least). This would allow us to reduce problem space to the client side. >My /etc/ssh/sshd_conf file has almost everything default except i >added these two lines at the end of it > >Match Group testusergroup > > AuthenticationMethods publickey,password:pam > publickey,keyboard-interactive:pam > >i also tried with below but no luck > >Match Group testusergroup > > AuthenticationMethods publickey,keyboard-interactive > > >my /etc/pam.d/sshd has these two changes, rest i kept default: > > ># Standard Un*x authentication. > >#@include common-auth > > >auth required pam_sss.so > > >Now when i try to ssh into ipa client i either keep getting promptS for >the password or it gets into a loop asking me to change the password >;complaining falsely that it has expired. I have tried multiple >combinations of configurations by referring earlier email threads but >none i found helpful. I cant make simple 2FA login to work with >freeIPA. Normal password and key works just fine. its the 2FA which >does not work for me. > > >Would really be thankful if some one can help me with this issue.. is >there any good freeIPA 2FA configuration document that i can refer? > >What should the steps for it work seamlessly? > > >Many Thanks, > >Deepak > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users Freeipa-users Info Page - Red Hat<https://www.redhat.com/mailman/listinfo/freeipa-users> www.redhat.com Freeipa-users -- List dedicated to discussions about use, configuration and deployment of the IPA server. About Freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] key + 2FA (password+OTP) is not working
Hi Alexander, I am using AWS to do a pilot on freeIPA & unfortunately AWS does not provide fedora or centos as part of its freetier setup so i have to live with ubuntu, redhat , suse etc. I have same problem with ubuntu and redhat though! Just one basic question.. what are the steps i should be following to make it work assuming i am trying on centos or fedora regards, Deepak From: Alexander Bokovoy Sent: Friday, September 23, 2016 3:25 AM To: Deepak Dimri Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] key + 2FA (password+OTP) is not working On Fri, 23 Sep 2016, Deepak Dimri wrote: > >Hi All, > > >I am trying hard to get my 2FA working with FreeIPA but every effort of >mine going waste! I have referred earlier forum emails but could not >find any good reply on the issue i am facing. > > >This is what i am trying > > >I have a test user created in my IPA server enabled with Two factor >authentication (password + OTP) and has ssh public key added in its >profile. I want this test user to ssh into my ipa client (ubuntu >14.04) using key + password + OTP. I woudl ceryainly prefer just the >key+ OTP only ( no password) but that seems far sighted as i cannot >even make it work with what it supposed to work password + OTP. Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the platforms where we know it works for sure (for me, at least). This would allow us to reduce problem space to the client side. >My /etc/ssh/sshd_conf file has almost everything default except i >added these two lines at the end of it > >Match Group testusergroup > > AuthenticationMethods publickey,password:pam > publickey,keyboard-interactive:pam > >i also tried with below but no luck > >Match Group testusergroup > > AuthenticationMethods publickey,keyboard-interactive > > >my /etc/pam.d/sshd has these two changes, rest i kept default: > > ># Standard Un*x authentication. > >#@include common-auth > > >auth required pam_sss.so > > >Now when i try to ssh into ipa client i either keep getting promptS for >the password or it gets into a loop asking me to change the password >;complaining falsely that it has expired. I have tried multiple >combinations of configurations by referring earlier email threads but >none i found helpful. I cant make simple 2FA login to work with >freeIPA. Normal password and key works just fine. its the 2FA which >does not work for me. > > >Would really be thankful if some one can help me with this issue.. is >there any good freeIPA 2FA configuration document that i can refer? > >What should the steps for it work seamlessly? > > >Many Thanks, > >Deepak > >-- >Manage your subscription for the Freeipa-users mailing list: >https://www.redhat.com/mailman/listinfo/freeipa-users Freeipa-users Info Page - Red Hat<https://www.redhat.com/mailman/listinfo/freeipa-users> www.redhat.com Freeipa-users -- List dedicated to discussions about use, configuration and deployment of the IPA server. About Freeipa-users >Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] key + 2FA (password+OTP) is not working
On Fri, 23 Sep 2016, Deepak Dimri wrote: Hi All, I am trying hard to get my 2FA working with FreeIPA but every effort of mine going waste! I have referred earlier forum emails but could not find any good reply on the issue i am facing. This is what i am trying I have a test user created in my IPA server enabled with Two factor authentication (password + OTP) and has ssh public key added in its profile. I want this test user to ssh into my ipa client (ubuntu 14.04) using key + password + OTP. I woudl ceryainly prefer just the key+ OTP only ( no password) but that seems far sighted as i cannot even make it work with what it supposed to work password + OTP. Can you make it working on Fedora 24 or CentOS 7.2? I.e. on the platforms where we know it works for sure (for me, at least). This would allow us to reduce problem space to the client side. My /etc/ssh/sshd_conf file has almost everything default except i added these two lines at the end of it Match Group testusergroup AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam i also tried with below but no luck Match Group testusergroup AuthenticationMethods publickey,keyboard-interactive my /etc/pam.d/sshd has these two changes, rest i kept default: # Standard Un*x authentication. #@include common-auth auth required pam_sss.so Now when i try to ssh into ipa client i either keep getting promptS for the password or it gets into a loop asking me to change the password ;complaining falsely that it has expired. I have tried multiple combinations of configurations by referring earlier email threads but none i found helpful. I cant make simple 2FA login to work with freeIPA. Normal password and key works just fine. its the 2FA which does not work for me. Would really be thankful if some one can help me with this issue.. is there any good freeIPA 2FA configuration document that i can refer? What should the steps for it work seamlessly? Many Thanks, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] key + 2FA (password+OTP) is not working
Hi All, I am trying hard to get my 2FA working with FreeIPA but every effort of mine going waste! I have referred earlier forum emails but could not find any good reply on the issue i am facing. This is what i am trying I have a test user created in my IPA server enabled with Two factor authentication (password + OTP) and has ssh public key added in its profile. I want this test user to ssh into my ipa client (ubuntu 14.04) using key + password + OTP. I woudl ceryainly prefer just the key+ OTP only ( no password) but that seems far sighted as i cannot even make it work with what it supposed to work password + OTP. My /etc/ssh/sshd_conf file has almost everything default except i added these two lines at the end of it Match Group testusergroup AuthenticationMethods publickey,password:pam publickey,keyboard-interactive:pam i also tried with below but no luck Match Group testusergroup AuthenticationMethods publickey,keyboard-interactive my /etc/pam.d/sshd has these two changes, rest i kept default: # Standard Un*x authentication. #@include common-auth auth required pam_sss.so Now when i try to ssh into ipa client i either keep getting promptS for the password or it gets into a loop asking me to change the password ;complaining falsely that it has expired. I have tried multiple combinations of configurations by referring earlier email threads but none i found helpful. I cant make simple 2FA login to work with freeIPA. Normal password and key works just fine. its the 2FA which does not work for me. Would really be thankful if some one can help me with this issue.. is there any good freeIPA 2FA configuration document that i can refer? What should the steps for it work seamlessly? Many Thanks, Deepak -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] key + 2FA (password+OTP) is not working
On Thu, Sep 22, 2016 at 08:17:21AM +, Deepak Dimri wrote: > Hi All, > > > I am trying hard to get my 2FA working with FreeIPA but every effort of mine > going waste! I have referred earlier forum emails but could not find any good > reply on the issue i am facing. > > > This is what i am trying > > > I have a test user created in my IPA server enabled with Two factor > authentication (password + OTP) and has ssh public key added in its profile. > I want this test user to ssh into my ipa client (ubuntu 14.04) using key + > password + OTP. I woudl ceryainly prefer just the key+ OTP only ( no > password) but that seems far sighted as i cannot even make it work with what > it supposed to work password + OTP. > > > My /etc/ssh/sshd_conf file has almost everything default except i added > these two lines at the end of it > > Match Group testusergroup > >AuthenticationMethods publickey,password:pam > publickey,keyboard-interactive:pam > > i also tried with below but no luck > > Match Group testusergroup > > AuthenticationMethods publickey,keyboard-interactive > > > my /etc/pam.d/sshd has these two changes, rest i kept default: > > > # Standard Un*x authentication. > > #@include common-auth > > > auth required pam_sss.so > > > Now when i try to ssh into ipa client i either keep getting promptS for the > password or it gets into a loop asking me to change the password ;complaining > falsely that it has expired. I have tried multiple combinations of > configurations by referring earlier email threads but none i found helpful. I > cant make simple 2FA login to work with freeIPA. Normal password and key > works just fine. its the 2FA which does not work for me. > > > Would really be thankful if some one can help me with this issue.. is there > any good freeIPA 2FA configuration document that i can refer? Please add debug_level=10 to the [pam] and [domain/...] section of sssd.conf, restart SSSD, re-run the authentication and send the generated debug logs together with your sssd.conf and the full /etc/pam.d/sshd. Please see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. > > What should the steps for it work seamlessly? In general it should work out of the box with SSSD's ipa provider. bye, Sumit > > > Many Thanks, > > Deepak > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project