On Fri, May 10, 2019 at 08:46:00AM -0400, Nerigal wrote:
Hi,
Never heard of PAM acting any how in the authentication mechanism with
using SSH key.
Yes, because they are completely unrelated.
im using /usr/bin/sss_ssh_authorizedkeys to authenticate SSH key and so
this is a sssd module right ?
Yes, sss_ssh_authorizedkeys is part of SSSD
and this binary leads the auth mechanics to sssd using the configuration
in sssd.conf
no, as said above PAM and SSH public key authentication are completely
unrelated.
sss_ssh_authorizedkeys talks to the SSSD ssh responder (sssd_ssh
process) configured in the [ssh] section of sssd.conf and if 'ssh' is
not listed in the 'services' list in the [sssd] section of sssd.conf the
ssh responder is not started and sss_ssh_authorizedkeys would return no
key. The ssh responder get the ssh public key data form the id_provider
configured for the backend.
PAM authentication is handled the SSSD PAM responder (sssd_pam process)
and configured in the [pam] section of sssd.conf. The PAM request
(authenticate, access control, etc) are forwarded to the auth_provider
configured in the backend. So SSSD will only access the proxy_pam_target
while handling PAM requests.
Other thing that make me thing this isn't right is that i first tried to
put the
pam_radius_auth.so lib into /etc/pam.d/password-auth
And i found that it change nothing to the ssh auth with Kay... still
successful without any negotiation with the Radius
so i tried with sshd directly...
pam_radius_auth.so lib into /etc/pam.d/sshd
with auth required pam_radius_auth.so
Did you try this with
AuthenticationMethods publickey,keyboard-interactive
and
ChallengeResponseAuthentication yes
in sshd_config?
I still would recommend keyboard-interactive instead of password because
iirc with password with ssh client will ask for a password
unconditionally while with ChallengeResponseAuthentication the PAM
conversation is send to the client. So if you add pam_radius_auth.so
near the beginning of /etc/pam.d/password-auth so that no other PAM
module can ask for a password you might be able to call pam_radius_auth
without a password prompt.
HTH
bye,
Sumit
and
account required pam_radius_auth.so
But the behavior was the same... it ignored both and the radius server
never received any packets but the authentication was successful and
this is a normal and expected behavior
the problem is that the SSH Keys authentication is leaded by
/usr/bin/sss_ssh_authorizedkeys and this require SSSD to allow Keys over
LDAP object ( otherwise SSH would not be able the authenticate the user
since the pubkeys doesn't exist locally on the server ) but still avoid
the negotiation with the radius, this negotiation require SSSD to
"pass-by" the pam stack with the proxy_pam_target
So with the test i made, it says that ssh key authentication with
/usr/bin/sss_ssh_authorizedkeys retrieve the needed information from
sssd.conf directly with the LDAP alternate attribute and LDAP AD user
object path to make the authentication possible without any negotiation
with the Radius which also say that proxy_pam_target is ignored.
So sssd behavior need to be modified to add an option to enforce using
proxy_pam_target even with the use of the following options
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
On 2019-05-10 01:26, Sumit Bose wrote:
> On Thu, May 09, 2019 at 09:45:46PM -0400, Nerigal wrote:
>
>> Hi,
>>
>> keyboard-interactive is for OTP only like the old google authenticator
>>
>> I use AMFA from Azure which require no code to be typed at screen
>>
>> So this option is irrelevant to the problem
>>
>> The problem is that sssd skip the pam stack with ssh key, i think it
>
> Hi,
>
> it is not SSSD skipping PAM here but sshd. SSSD can only be involved if
> the service needing authentication, sshd here, call pam_authenticate.
> With publickey authentication sshd usually skips this because the user
> is already authenticated. So you have to make sshd call pam_authenticate
> even in the case it already authenticated the user with a public key.
>
> HTH
>
> bye,
> Sumit
>
> could be a good plus value to add an option to sssd to stick to PAM
>
> even with alternate authentication from Active Directory.
>
> The work around applied at the moment is to use AuthenticationMethods
> "password,publickey"
>
> We have multiple jumpbox scenario to go trough but only the first
> jumpbox require 2FA ( MFA from Azure )
>
> So using SSH Key managed in Active Directory was a must, otherwise users
> would have been obligated to type creds at every jumpbox which make
> irrelevant the use of ssh gateway to me
>
> So the problem faced was that the first must use password auth to go
> trough PAM stack to trigger the MFA
>
> and all other jump must be SSH Key aware to facilitate everyone lives
> here...
>
> now the issue was that if you only allow password auth at the first
> Gateway.. all the next up can't authenticate using ssh-agent forwarding
>
> so the first hop has to authenticate with the password + MFA as well
> with the ssh key.
>
> Like i said This is a work around and not a decent solution. With the
> possibility of forcing SSSD to go trough PAM with the SSH Key validation
> though Active directory
>
> it make possible the option of password less authentication with MFA
> which is the targeted functionality.
>
> On 2019-05-09 10:36, Sumit Bose wrote:
>
> On Thu, May 09, 2019 at 07:55:31AM -0400, Nerigal wrote:
>
> Hi,
>
> I could make sssd work fine with domain authentication with Radius
> server + Azure MFA through SSH gateway using password
>
> So the user enter his creds and then get to prompt on his phone to
> accept or reject the authentication
>
> Everything work as expected so far
>
> The problem comes with SSH keys ...
>
> i tried the alternate authentication in Active Directory adding users
> SSH keys in altSecurityIdentities user object attribute
>
> and configuring
>
> ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
> ldap_user_ssh_public_key = altSecurityIdentities
> ldap_use_tokengroups = True
>
> in sssd.conf file
>
> and its actually working too well...
>
> The "too well" is that it looks like as soon as the user has a working
> ssh Key in Active Directory, SSSD ingore the configuration
>
> auth_provider = proxy
> proxy_pam_target = sssdproxyradiusauth
>
> Note *
>
> sshd_config is configured with
>
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
> AuthorizedKeysCommandUser root
>
> So is there a way to make SSSD always pass by the Radius regardless of
> the auth mechanic ?
>
> May be the "proxy bypass" with SSH key come from
> /usr/bin/sss_ssh_authorizedkeys i can't tell at this point
> Yes, most probably. /usr/bin/sss_ssh_authorizedkeys will send the ssh
> key read by SSSD from the AD user object to sshd so that sshd can to
> public key authentication. This is the same as if you have out the ssh
> key into the .ssh/authorized_keys file in the user's homes directory
> only that it is centrally managed in AD.
>
> If you want to tell sshd to use both publickey and keyboard-interactive
> authentication together please see AuthenticationMethods in man
> sshd_config for details.
>
> HTH
>
> bye,
> Sumit
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...