Hi,
keyboard-interactive is for OTP only like the old google authenticator
I use AMFA from Azure which require no code to be typed at screen
So this option is irrelevant to the problem
The problem is that sssd skip the pam stack with ssh key, i think it could be a good plus value to add an option to sssd to stick to PAM
even with alternate authentication from Active Directory.
The work around applied at the moment is to use AuthenticationMethods "password,publickey"
We have multiple jumpbox scenario to go trough but only the first jumpbox require 2FA ( MFA from Azure )
So using SSH Key managed in Active Directory was a must, otherwise users would have been obligated to type creds at every jumpbox which make irrelevant the use of ssh gateway to me
So the problem faced was that the first must use password auth to go trough PAM stack to trigger the MFA
and all other jump must be SSH Key aware to facilitate everyone lives here...
now the issue was that if you only allow password auth at the first Gateway.. all the next up can't authenticate using ssh-agent forwarding
so the first hop has to authenticate with the password + MFA as well with the ssh key.
Like i said This is a work around and not a decent solution. With the possibility of forcing SSSD to go trough PAM with the SSH Key validation though Active directory
it make possible the option of password less authentication with MFA which is the targeted functionality.
On 2019-05-09 10:36, Sumit Bose wrote:
On Thu, May 09, 2019 at 07:55:31AM -0400, Nerigal wrote:Hi,
I could make sssd work fine with domain authentication with Radius
server + Azure MFA through SSH gateway using password
So the user enter his creds and then get to prompt on his phone to
accept or reject the authentication
Everything work as expected so far
The problem comes with SSH keys ...
i tried the alternate authentication in Active Directory adding users
SSH keys in altSecurityIdentities user object attribute
and configuring
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
in sssd.conf file
and its actually working too well...
The "too well" is that it looks like as soon as the user has a working
ssh Key in Active Directory, SSSD ingore the configuration
auth_provider = proxy
proxy_pam_target = sssdproxyradiusauth
Note *
sshd_config is configured with
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
So is there a way to make SSSD always pass by the Radius regardless of
the auth mechanic ?
May be the "proxy bypass" with SSH key come from
/usr/bin/sss_ssh_authorizedkeys i can't tell at this point
Yes, most probably. /usr/bin/sss_ssh_authorizedkeys will send the ssh
key read by SSSD from the AD user object to sshd so that sshd can to
public key authentication. This is the same as if you have out the ssh
key into the .ssh/authorized_keys file in the user's homes directory
only that it is centrally managed in AD.
If you want to tell sshd to use both publickey and keyboard-interactive
authentication together please see AuthenticationMethods in man
sshd_config for details.
HTH
bye,
Sumit
______________________________________________________________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org