patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
Greetings:
We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius. We found that PAM passed the AD
password to our OTP server, which failed. We have added a pam option
always prompt in the attached code. This will force a WiKID
passcode: prompt regardless of any previous password entry. This can
be changed, of course.
The /etc/pam.d/sshd file looks like:
Here's the /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
auth requisite /lib/security/pam_radius_auth.so always_prompt
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
No changes to system-auth were made. The /etc/ssh/sshd_config looks like:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
The key change is that ChallengeResponseAuthentication is yes.
Hopefully, others will find this of use.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
124a125,128
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option);
1134,1136c1138,1149
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
DPRINT(LOG_DEBUG, Should prompt for the passcode now...);
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
DPRINT(LOG_DEBUG, Got passcode %s, password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1162
---
1154d1166
124a125,127
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
1134,1136c1137,1146
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1159
---
1154d1163
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch files for pam_radius - adding an 'Always Prompt' option for?one-time passcodes
Nick Owen no...@wikidsystems.com wrote: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. This can be changed, of course. Better to lead with the OTP as then you fend off brute force and dictionary attacks. Cheers -- Alexander Clouter .sigmonster says: If you had any brains, you'd be dangerous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius. We found that PAM passed the AD
password to our OTP server, which failed. We have added a pam option
always prompt in the attached code. This will force a WiKID
passcode: prompt regardless of any previous password entry.
The /etc/pam.d/sshd file looks like:
Here's the /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
auth requisite /lib/security/pam_radius_auth.so always_prompt
accountrequired pam_nologin.so
accountinclude system-auth
password include system-auth
sessionoptional pam_keyinit.so force revoke
sessioninclude system-auth
sessionrequired pam_loginuid.so
No changes to system-auth were made. The /etc/ssh/sshd_config looks like:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem sftp/usr/libexec/openssh/sftp-server
The key change is that ChallengeResponseAuthentication is yes.
Hopefully, others will find this of use.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
124a125,128
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option);
1134,1136c1138,1149
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
DPRINT(LOG_DEBUG, Should prompt for the passcode now...);
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
DPRINT(LOG_DEBUG, Got passcode %s, password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1162
---
1154d1166
124a125,127
} else if (!strcmp(*argv, always_prompt)) {
ctrl |= PAM_ALWAYS_PROMPT;
1134,1136c1137,1146
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
---
/* if always_propmpt is specified grab the passcode from the user */
if ((ctrl PAM_ALWAYS_PROMPT)) {
retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password);
password = strdup(password);
PAM_FAIL_CHECK;
} else {
/* grab the password (if any) from the previous authentication layer */
retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password);
PAM_FAIL_CHECK;
}
1149c1159
---
1154d1163
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
