First, you need to verify that your Kerberos libraries support OTP. I believe it requires Kerberos 1.12 or later.

Second, you need to verify that your IPA supports kinit -n. Current versions do, but it’s only been like the last year. It also requires your client system to be set up to use it. I think ipa_install will do that, but otherwise you’ll have to set up an appropriate certificate.

If you have a recent Kerberos library but your server doesn’t support kinit -n then you’ll  need to use a key table to generate the credentials used to armor the request.

My preference is to use sssd with pam_sssd. That will work for Centos 7, but not 6, and for fairly recent versions of Ubuntu.

Otherwise, assuming the preconditions are true, then pam_krb5 should work. Depending upon version, you need to turn on armor and either specific pkinit (if kinit -n works on your system) or a key table, e.g. /etc/krb5.keytab. You might find Russ Albery’s version of pam_krb5 useful here, https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html. In that version, it looks like anon_fast will work if “kinit -n” works, otherwise fast_ccache=<ccache_name>. You can use k5start pointing to some key table to create and maintain the cache.



On Jan 3, 2019, at 3:26 PM, Brian Topping via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

Hi all, happy 2019!

Any thoughts on this? Docs would be welcome as well.

Thanks!! Brian

On Dec 30, 2018, at 8:17 AM, Brian Topping <brian.topping@gmail.com> wrote:

Hi all, I hope this is the best place to ask this, please let me know if not.

I am setting up a PAM client (libreswan, using the `pluto` service). When I log in with a non-OTP account, everything works fine, but not with an OTP account. I have tested the OTP account by logging into the node with SSH and the OTP user and it works fine, so I know both that the token works and that the client configuration are both correct. I’ve tried a few different PAM stacks to see if I could get around this, including the sshd stack to no avail. In all cases, the FreeIPA server logs state `Additional pre-authentication required` and then `Preauthentication failed`.

Preauthentication makes sense, I just don’t understand why sshd works fine with both password factors concatenated in the first factor and libreswan (and xl2tpd when I was testing it) both fail with preauth issues. What am I missing? Are there good docs on this somewhere? [1] was the best I could come up with and it seems to be out-of-date (pam_sss takes different parameters for some of the same functions in the final form).

Cheers! Brian

[1] https://docs.pagure.org/SSSD.sssd/design_pages/pam_conversation_for_otp.html
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org