First, you need to verify that your Kerberos libraries support OTP. I believe it requires Kerberos 1.12 or later.
Second, you need to verify that your IPA supports kinit -n. Current versions do, but it’s only been like the last year. It also requires your client system to be set up to use it. I think ipa_install will do that, but otherwise you’ll have to
set up an appropriate certificate.
If you have a recent Kerberos library but your server doesn’t support kinit -n then you’ll need to use a key table to generate the credentials used to armor the request.
My preference is to use sssd with pam_sssd. That will work for Centos 7, but not 6, and for fairly recent versions of Ubuntu.
Otherwise, assuming the preconditions are true, then pam_krb5 should work. Depending upon version, you need to turn on armor and either specific pkinit (if kinit -n works on your system) or a key table, e.g. /etc/krb5.keytab. You might find Russ
Albery’s version of pam_krb5 useful here,
https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html. In that version, it looks like anon_fast will work if “kinit -n” works,
otherwise fast_ccache=<ccache_name>. You can use k5start pointing to some key table to create and maintain the cache.
Hi all, happy 2019!
Any thoughts on this? Docs would be welcome as well.
Thanks!! Brian
On Dec 30, 2018, at 8:17 AM, Brian Topping <brian.topping@gmail.com> wrote:
Hi all, I hope this is the best place to ask this, please let me know if not.
I am setting up a PAM client (libreswan, using the `pluto` service). When I log in with a non-OTP account, everything works fine, but not with an OTP account. I have tested the OTP account by logging into the node with SSH and the OTP user and it works fine,
so I know both that the token works and that the client configuration are both correct. I’ve tried a few different PAM stacks to see if I could get around this, including the sshd stack to no avail. In all cases, the FreeIPA server logs state `Additional pre-authentication
required` and then `Preauthentication failed`.
Preauthentication makes sense, I just don’t understand why sshd works fine with both password factors concatenated in the first factor and libreswan (and xl2tpd when I was testing it) both fail with preauth issues. What am I missing? Are there good docs on
this somewhere? [1] was the best I could come up with and it seems to be out-of-date (pam_sss takes different parameters for some of the same functions in the final form).
Cheers! Brian
[1]
https://docs.pagure.org/SSSD.sssd/design_pages/pam_conversation_for_otp.html
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org