On Mon, Mar 15, 2021 at 06:04:17PM +0000, David Harvey via FreeIPA-users wrote:
Hi list,
I've been attempting to get optional 2FA working for my Debian derivatives
so I can run per-host OTP nicely for the more sensitive boxes.
So far:
A user with "password and otp" only allowed in the can login as expected
with the password and OTP concatenated.
A user with both "password" and "password and otp" allowed cannot use
the
concatonated practice. Working as expected I think so far from my
readings...
I've then been trying to follow the advice on this thread :
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
So that the pre-auth check can be made (the most relevant bit is the
example PAM script I've been shamelessly trying to force into action).
Applying their advice It gets me as far as throwing up the correct prompt
for 2FA users vs password only users, but on trying to auth either with or
without the OTP supplied I can't get in. I see the following errors in the
auth log:
Mar 15 17:36:38 focal-test login[5183]: PAM (login) no control flag supplied
Mar 15 17:36:38 focal-test login[5183]: PAM (login) no module name supplied
Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return
value; [...try_first_pass]
Mar 15 17:36:38 focal-test login[5183]: PAM unable to dlopen(sha512):
/lib/security/sha512: cannot open shared object file: No such file or
directory
Mar 15 17:36:38 focal-test login[5183]: PAM adding faulty module: sha512
Mar 15 17:36:38 focal-test login[5183]: PAM (other) no control flag supplied
Mar 15 17:36:38 focal-test login[5183]: PAM (other) no module name supplied
Mar 15 17:36:38 focal-test login[5183]: PAM pam_parse: expecting return
value; [...try_first_pass]
Mar 15 17:36:47 focal-test login[5183]: pam_sss(login:auth): authentication
success; logname=david uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=david
Mar 15 17:36:49 focal-test login[5183]: FAILED LOGIN (1) on '/dev/pts/0'
FOR 'david', Permission denied
Hi,
it looks like authentication worked but then access is denied. Can you
share your PAM configuration for the login program?
bye,
Sumit
I've been trying across a spread of ubuntu and Debian versions to try and
ensure I've entertained sufficiently new sssd and libkrb5 versions but am
pretty stumped. Most confusing is the sha512 errors when it's also included
in the default unix pam config.
Feel free to tell me to f@£$ off to the sssd lists!
David
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure