I have hooked one pam implementation module pam_custom.so which does multi factor authentication for a user I am trying to use pam_get_item for otp in my internal pam pam_custom.so module with msg.style type as PAM_TEXT_INFO.
But it is failing as i am getting error message as Conversation style 3 not supported. This is breaking my existing functionality and I am not able to use sssd. Is it a limitation with sssd? Although normal username and password is authenticated successfully for which MFA is not there.
sssd.conf --------------------[sssd] config_file_version = 2 services = nss, pam domains = proxy_proxy [nss]
[pam] [domain/proxy_proxy] auth_provider = proxy id_provider = proxy proxy_lib_name = customnss proxy_pam_target = sssdproxycustom enumerate = false cache_credentials = false debug_level = 9 min_id = 500
sssdproxycustom -------------------------- auth required pam_custom.so account required pam_custom.so password required pam_custom.so session required pam_custom.so
On Wed, Nov 14, 2018 at 10:45:46AM -0000, MOHIT KUMAR wrote:
I have hooked one pam implementation module pam_custom.so which does multi factor authentication for a user I am trying to use pam_get_item for otp in my internal pam pam_custom.so module with msg.style type as PAM_TEXT_INFO.
But it is failing as i am getting error message as Conversation style 3 not supported. This is breaking my existing functionality and I am not able to use sssd. Is it a limitation with sssd? Although normal username and password is authenticated successfully for which MFA is not there.
SSSD's proxy functionality is limited in the sense that it currently only can give a password the user entered before to the proxied PAM modules. I.e. currently we can only handle PAM_PROMPT_ECHO_OFF properly and return an error for other messages styles.
Is the message your are sending with PAM_TEXT_INFO important for the functionality, e.g. does it contain a challenge which should be typed into some device to get a one-time response? Or is it just some informational message? In the latter case, would it be possible to add a check to your PAM module to not send this message is the PAM service is 'sssdproxycustom' ?
bye, Sumit
sssd.conf --------------------[sssd] config_file_version = 2 services = nss, pam domains = proxy_proxy [nss]
[pam] [domain/proxy_proxy] auth_provider = proxy id_provider = proxy proxy_lib_name = customnss proxy_pam_target = sssdproxycustom enumerate = false cache_credentials = false debug_level = 9 min_id = 500
sssdproxycustom
auth required pam_custom.so account required pam_custom.so password required pam_custom.so session required pam_custom.so
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.o...
Thanks Sumit.
PAM_TEXT_INFO is being used to inform user about the type of challenge which is determined at run time from the back end system based on user account configuration. It can be otp verification, security questions etc. And yes sssdproxycustom is a pam service.
However i am able to make this functionality work by disabling sssdauth and adding pam_custom.so in pam service.
Run below command to disable sssdauth authconfig --enablesssd --disablesssdauth --enablemkhomedir --enablepamaccess --update
edit sshd service . ( /etc/pamd./sshd) file I have modified to include pam_custom.so auth sufficient pam_custom.so auth include password-auth
Not sure if this is right approach. I can only think of this solution if I sssd does not support this functionality at all.
Also i need suggestion on below two queries:
1. if pam_get_item(pamh, PAM_CONV, (const void **) &conv) is supported from sssd if i want to get custom input from user ? It can be answers of any mfa factors. When i am trying this api it always returns the password user has entered.
2. Can we use pam_info for the informational messages. If we can use this then we can form question through pam_info and for getting input we can use pam_get_item with PAM_PROMPT_ECHO_OFF.
I will be really thankful if you can guide me with these.
Thanks.
On Fri, Nov 16, 2018 at 05:35:05AM -0000, MOHIT KUMAR wrote:
Also i need suggestion on below two queries:
- if pam_get_item(pamh, PAM_CONV, (const void **) &conv) is supported from sssd if i want to get custom input from user ? It can be answers of any mfa factors. When i am trying this api it always returns the password user has entered.
Can you rephrase the question? In general the PAM conversation API can handle multiple inputs from the user.
- Can we use pam_info for the informational messages. If we can use this then we can form question through pam_info and for getting input we can use pam_get_item with PAM_PROMPT_ECHO_OFF.
Yes, this would be possible, but the details would be quite complex to support general conversation of PAM modules because there might be more than one round-trip in the general case. So the straight forward solution would be to use your PAM module in the PAM configuration directly as you've already mentioned in your other email.
HTH
bye, Sumit
I will be really thankful if you can guide me with these.
Thanks. _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.o...
On Fri, Nov 16, 2018 at 04:01:03AM -0000, MOHIT KUMAR wrote:
Thanks Sumit.
PAM_TEXT_INFO is being used to inform user about the type of challenge which is determined at run time from the back end system based on user account configuration. It can be otp verification, security questions etc. And yes sssdproxycustom is a pam service.
However i am able to make this functionality work by disabling sssdauth and adding pam_custom.so in pam service.
Run below command to disable sssdauth authconfig --enablesssd --disablesssdauth --enablemkhomedir --enablepamaccess --update
edit sshd service . ( /etc/pamd./sshd) file I have modified to include pam_custom.so auth sufficient pam_custom.so auth include password-auth
Not sure if this is right approach. I can only think of this solution if I sssd does not support this functionality at all.
Yes, adding your PAM module directly into the PAM configuration is currently the only way I can see as well.
bye, Sumit
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.o...
Hi Sumit,
I have added the PAM module separately and its working by asking MFA inputs. However when i add it through sssd it is not able to ask any questions. It there any limitation from sssd side ? I mean ideally whether the configuration is done independent or whether through sssd the behaviour should be same. We are using pam_info and pam_get_item to get the inputs from user in the library.
On Mon, Nov 19, 2018 at 02:20:47AM -0000, MOHIT KUMAR wrote:
Hi Sumit,
I have added the PAM module separately and its working by asking MFA inputs. However when i add it through sssd it is not able to ask any questions. It there any limitation from sssd side ? I mean ideally whether the configuration is done independent or whether through sssd the behaviour should be same. We are using pam_info and pam_get_item to get the inputs from user in the library.
It is a limitation of SSSD. With the SSSD proxy configuration you PAM module is not communication with the user directly but with a component of SSSD which currently can only handle a single password.
In general it would be possible to enhance SSSD so that the component take all conversation items, sends them to pam_sss to present them to the user and return the input to you PAM module. But this won't be a trivial task. Additionally one of the reason for SSSD's proxy interface is to allow SSSD to cache a hashed version of the password for offline authentication. E.g. if you use a PAM modules to authenticate against a database say pam_mysql, SSSD can use the cached hash to validate a user password if the database is not reachable. In your case the MFA input contains a value which only works once, so it does not make sense to cache anything. So if it works it is ok to add it directly into the PAM configuration and not use SSSD's proxy feature.
HTH
bye, Sumit
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.o...
sssd-devel@lists.fedorahosted.org