I am using centos 7. 

What are you using your auth_provider ?

Here is my config today. Once it is working I will make sure puppet keeps it in line and if gets overwritten by authconfig. But I need to first make sure if is working, which is not the case today. 

$ cat /etc/sssd/sssd.conf
...

auth_provider = proxy                
proxy_pam_target = securid
...

$ cat /etc/pam.d/sshd 
#%PAM-1.0
auth    required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_exec.so /usr/local/bin/apply-quota.sh
#session    optional    pam_exec.so log=/tmp/pam_exec.log /usr/local/bin/ipsystems.sh
session    optional     pam_exec.so /usr/local/bin/ipsystems.sh
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

$ cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 999 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

$ cat /etc/pam.d/securid 
auth sufficient pam_radius_auth.so

There is no reserve option for pam_radius_auth. I am using pam_radius_auth to connect to my RSA securid server
and it has been working on all my solaris, ubuntu, centos for last 15+ yrs.

These are the only options available https://github.com/FreeRADIUS/pam_radius/blob/master/USAGE





On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi <mrossi@hostopia.com> wrote:
What OS are you using ? I am using Centos 6  with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for RSA and one for LDAP. If you need to ONLY use RSA w account lookup from sssd/ldap, then you have to comment out the auth line related to system-auth-ac in  /etc/pam.d/sshd. You also have to be careful what umask are you using, make sure file perms is set to 0644 . Also if you run authconfig to manage /etc/pam.d, your files may be overwritten, so you may need to import custom setting into your deployment system i.e. puppet/ansible.

Have you set ChallengeResponseAuthentication to yes in /etc/ssh/sshd_config ?

Example of a system that uses RSA for sshd , so you get only one password prompt:

$ cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_securid.so reserve
#auth       include      system-auth-ac
account    required     pam_nologin.so
account    include      system-auth-ac
 password   include      system-auth-ac
session    optional     pam_keyinit.so force revoke
session    include      system-auth-ac
 session    required     pam_loginuid.so

$ cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
 session     optional      pam_sss.so


On 10/27/2017 10:27 AM, Asif Iqbal wrote:
This setup also failed miserably where pam.d/sshd first two lines like below

auth       required     pam_securid.so
auth       include      system-auth-ac_new

And using your pam.d/system-auth-ac_new 

So it does give you the right prompt 'Enter SMS Token:' when just put PIN at first login prompt. But after putting SMS token on the next prompt
it goes back to Password: prompt again. Even worse is now it does not even work with giving both PIN and TokenCode at the first prompt either.

Any other suggestion? Does anyone work with SSS and OTP at all?

Seems like I should just not use sss since OTP is a *must* requirement.





On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <mrossi@hostopia.com> wrote:

My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your users, the easiest would be to configure sd_pam.conf to use a different prompt for RSA.

$ egrep ^AUTH /etc/sd_pam.conf
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey :
AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :

Now back to your question, I believe you need to define a new system-auth file to be used, in my case
system-auth-ac_new with custom pam config. This is a working rsa + sssd (openldap ) setup, I am not sure about proxy as I haven't used it before.


$ cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_securid.so reserve
auth       include      system-auth-ac_new
account    required     pam_nologin.so
account    include      system-auth-ac_new
password   include      system-auth-ac_new
session    optional     pam_keyinit.so force revoke
session    include      system-auth-ac_new
session    required     pam_loginuid.so

$ cat /etc/pam.d/system-auth-ac_new
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    pam_sss.so
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     [default=bad success=ok user_unknown=ignore] pam_sss.so
#account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    sufficient    pam_sss.so use_authtok
password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_sss.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

On 10/26/2017 07:34 PM, Asif Iqbal wrote:
With pam_securid.so

I can on /etc/pam.d/sshd

   auth sufficient pam_securid.so 

and at ssh login, I just put PIN at Password: prompt and then I get Enter SMS Token: prompt and I can then put the 
tokencode and I can ssh into the server fine.

If I do the same with pam_sss.so it keeps asking for Password: and never changes the prompt to Enter SMS Token: and ssh fails badly.
At this second Password: prompt I tried with just tokencode (at 18:45:34 in log below) or PIN and tokencode (at 18:47:55). Neither let
me in and failed eventually. 

I think it is because pam_sss -> proxy -> securid -> pam_securd is failing to handle PAM conversation?

Is there a way to fix that to so pam_sss to behave the right way and let authenticate in two steps with PIN and then TokenCode on next step?

Also without this PAM conversation, when the PIN expires it will not let you update it. With simple pam.d/sshd and auth sufficient pam_securid.so
that works very well as well.

I have sssd.conf setup like this
   auth_server = proxy
   proxy_target_pam = securid

And in pam.d/securid file 
  auth sufficient pam_securid.so

Here are some log http://dpaste.com/2HD27XH.txt where
   I tried with PIN at first Password: prompt and then TokenCode at second Password: prompt at 18:45:34 and failed to login
And
   I tried with PIN at first Password: prompt and then PIN and TokenCode at second Password: prompt at 18:47:55 and failed to login

I tried with SElinux off and on and same result

If I put PIN and TokenCode at the first Password: prompt, login works fine . I did not put any log for that here.

Any suggestion how to fix pam_sss for OTP?

Thanks!


 





--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?



_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org




--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?





--
Asif Iqbal