patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
Greetings: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. This can be changed, of course. The /etc/pam.d/sshd file looks like: Here's the /etc/pam.d/sshd: #%PAM-1.0 auth required /lib/security/pam_krb5.so auth requisite /lib/security/pam_radius_auth.so always_prompt account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so No changes to system-auth were made. The /etc/ssh/sshd_config looks like: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UseDNS no Subsystem sftp /usr/libexec/openssh/sftp-server The key change is that ChallengeResponseAuthentication is yes. Hopefully, others will find this of use. Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication 124a125,128 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option); 1134,1136c1138,1149 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { DPRINT(LOG_DEBUG, Should prompt for the passcode now...); retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); DPRINT(LOG_DEBUG, Got passcode %s, password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1162 --- 1154d1166 124a125,127 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; 1134,1136c1137,1146 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1159 --- 1154d1163 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch files for pam_radius - adding an 'Always Prompt' option for?one-time passcodes
Nick Owen no...@wikidsystems.com wrote: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. This can be changed, of course. Better to lead with the OTP as then you fend off brute force and dictionary attacks. Cheers -- Alexander Clouter .sigmonster says: If you had any brains, you'd be dangerous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. The /etc/pam.d/sshd file looks like: Here's the /etc/pam.d/sshd: #%PAM-1.0 auth required /lib/security/pam_krb5.so auth requisite /lib/security/pam_radius_auth.so always_prompt accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so No changes to system-auth were made. The /etc/ssh/sshd_config looks like: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UseDNS no Subsystem sftp/usr/libexec/openssh/sftp-server The key change is that ChallengeResponseAuthentication is yes. Hopefully, others will find this of use. Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication 124a125,128 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option); 1134,1136c1138,1149 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { DPRINT(LOG_DEBUG, Should prompt for the passcode now...); retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); DPRINT(LOG_DEBUG, Got passcode %s, password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1162 --- 1154d1166 124a125,127 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; 1134,1136c1137,1146 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1159 --- 1154d1163 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html