On Wed, Apr 24, 2019 at 09:21:08PM -0000, David Fournier wrote: > I've been tasked with adding two-factor authentication to one of our servers > that will be exposed to the net. Requirements include using an existing 2FA > system which uses RADIUS for authentication, and that users from both the > client domain (unicorn.local) and the management domain (rainbow.local) can > log in. The RADIUS server is the same for both domains. > > I believed I could use sssd with auth_provider = proxy and then specify my > RADIUS pam module in the proxy_pam_target, however after running tests it > appears that sssd only provides the username part of the fully qualified > username to proxy_pam_target (i.e. if the user is '[email protected]', > only 'stranger' is passed to the modules specified in proxy_pam_target). > > Is there a way/switch/configuration option that I would have missed that > would allow passing the full username to my pam target?
Hi, I'm sorry there is no such switch or options. Currently SSSD explicitly uses a short name (without the '@...' part) because typically other PAM modules are confused by this type of name. Feel free to open a RFE on https://pagure.io/SSSD/sssd/ to add an optino to use the unmodified name from the login prompt here. If you are interested in trying it on your own have a look at src/providers/proxy/proxy_child.c: 212 ret = sss_parse_internal_fqname(auth_data, pd->user, &shortname, NULL); 213 if (ret != EOK) { 214 goto fail; 215 } 216 217 ret = pam_start(pam_target, shortname, &conv, &pamh); 218 if (ret == PAM_SUCCESS) { If you replace 'shortname' in line 217 with 'pd->user' it might already work. Even better would be 'pd->logon_name' because this contains the unmodified name given at the login prompt. But here you have to add this member to the PAM data send and received in src/sss_iface/sss_iface_types.c which is a bit more complicated. bye, Sumit > > > Content of /etc/sssd/sssd.conf ------------------------------- > > [sssd] > domains = unicorn.local,rainbow.local > config_file_version = 2 > services = nss, pam > full_name_format = %1$s@%2$s > > [domain/unicorn.local] > id_provider = ldap > ldap_id_mapping = True > ldap_schema = AD > ldap_group_nesting_level = 8 > ldap_uri = ldap://pradad1001.unicorn.local > ldap_search_base = dc=unicorn,dc=local > ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=unicorn,DC=local > ldap_default_authtok_type = password > ldap_default_authtok = ************* > > default_shell = /bin/bash > use_fully_qualified_names = True > fallback_homedir = /home/%u@%d > access_provider = simple > simple_allow_groups = L_Unicorn_SSH_Admins > auth_provider = proxy > proxy_pam_target = sssdauthproxy > > [domain/rainbow.local] > id_provider = ldap > ldap_id_mapping = True > ldap_schema = AD > ldap_group_nesting_level = 8 > ldap_uri = ldap://otherad2001.rainbow.local > ldap_search_base = dc=rainbow,dc=local > ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=rainbow,DC=local > ldap_default_authtok_type = password > ldap_default_authtok = ************** > > default_shell = /bin/bash > use_fully_qualified_names = True > fallback_homedir = /home/%u@%d > access_provider = simple > simple_allow_groups = L_Rainbow_SSH_Admins > auth_provider = proxy > proxy_pam_target = sssdauthproxy > > End Content of /etc/sssd/sssd.conf ------------------------------- > > Content of sssdauthproxy ------------------------------------- > auth required pam_warn.so > auth required pam_radius_auth.so > End Content of sssdauthproxy ------------------------------------- > > Note that I added pam_warn.so right before pam_sss.so, the output shows the > difference in users: > > Apr 24 17:16:58 SAclt001 sshd[15553]: pam_warn(sshd:auth): > function=[pam_sm_authenticate] service=[sshd] terminal=[ssh] > user=[[email protected]] ruser=[<unknown>] rhost=[bbb.bbb.bbb.bb] > Apr 24 17:16:58 SAclt001 proxy_child: pam_warn(sssdauthproxy:auth): > function=[pam_sm_authenticate] service=[sssdauthproxy] terminal=[ssh] > user=[stranger] ruser=[] rhost=[bbb.bbb.bbb.bb] > > Thanks for reading that far! > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
