On Thu, Mar 09, 2017 at 10:12:09AM -0500, Mario Rossi wrote: > Hi, > > I pulled the unofficial 1.15.1 el6 sssd and installed it today on a host > where RSA securid is used ( RSA + openldap) . I am trying to log in to the > server and I am getting ( please note pam_unix fails but that's fine as we > use ldap ) : > > Mar 9 09:17:38 barni sshd[7597]: error: PAM: Authentication failure for > abcd from X.Y.86.223 > Mar 9 09:17:38 barni sshd[7597]: Connection closed by X.Y.86.223 port 40924 > [preauth] > Mar 9 09:18:04 barni sshd[8012]: pam_sss(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223 user=abcd > Mar 9 09:18:04 barni sshd[8012]: pam_sss(*sshd:auth*): received for user > abcd: *7 (Authentication failure)* > Mar 9 09:18:04 barni sshd[8012]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223 user=abcd > > > I have reverted to 1.14.2 and it magically works :) Is there any > functionality changed from 1.15.1 to 1.14.2 before I start enabling > debugging and go through the logs ? The only service needing 2FA is sshd so > I use a separate system-auth-ac file. With 1.15.1 I get propted for 2FA each > time so it does not go to LDAP password: > > *1.14.2:* > [gvasiliu@localhost Downloads]$ ssh -q barni > Enter SecureKey: > *Password: * > > *1.15.1:* > [gvasiliu@localhost Downloads]$ ssh -q barni > Enter SecureKey: > Enter SecureKey: > > https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 > https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html# > > Could this be related to https://pagure.io/SSSD/sssd/issue/2984 ?
yes, this is possible. Please try to add 'prompt_always' to the pam_sss auth line like auth sufficient pam_sss.so prompt_always to tell pam_sss to prompt again for the password although there is one already on the stack. HTH bye, Sumit > > root@barni[*/etc/pam.d*]# cat *sshd* > #%PAM-1.0 > auth required pam_securid.so reserve > auth include system-auth-ac_new > account required pam_nologin.so > account include system-auth-ac_new > password include system-auth-ac_new > session optional pam_keyinit.so force revoke > session include system-auth-ac_new > session required pam_loginuid.so > > root@barni[*/etc/pam.d*]# cat *system-auth-ac_new* > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth sufficient pam_sss.so > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth required pam_deny.so > > account [default=bad success=ok user_unknown=ignore] pam_sss.so > #account required pam_access.so > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account required pam_permit.so > > > password sufficient pam_sss.so use_authtok > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password required pam_deny.so > > session optional pam_sss.so > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > > Thank you > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org