4:21 p.m.
I've been tasked with adding two-factor authentication to one of our servers that will
be exposed to the net. Requirements include using an existing 2FA system which uses RADIUS
for authentication, and that users from both the client domain (unicorn.local) and the
management domain (rainbow.local) can log in. The RADIUS server is the same for both
domains.
I believed I could use sssd with auth_provider = proxy and then specify my RADIUS pam
module in the proxy_pam_target, however after running tests it appears that sssd only
provides the username part of the fully qualified username to proxy_pam_target (i.e. if
the user is 'stranger(a)rainbow.local', only 'stranger' is passed to the
modules specified in proxy_pam_target).
Is there a way/switch/configuration option that I would have missed that would allow
passing the full username to my pam target?
Content of /etc/sssd/sssd.conf -------------------------------
[sssd]
domains = unicorn.local,rainbow.local
config_file_version = 2
services = nss, pam
full_name_format = %1$s@%2$s
[domain/unicorn.local]
id_provider = ldap
ldap_id_mapping = True
ldap_schema = AD
ldap_group_nesting_level = 8
ldap_uri = ldap://pradad1001.unicorn.local
ldap_search_base = dc=unicorn,dc=local
ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=unicorn,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = *************
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = L_Unicorn_SSH_Admins
auth_provider = proxy
proxy_pam_target = sssdauthproxy
[domain/rainbow.local]
id_provider = ldap
ldap_id_mapping = True
ldap_schema = AD
ldap_group_nesting_level = 8
ldap_uri = ldap://otherad2001.rainbow.local
ldap_search_base = dc=rainbow,dc=local
ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=rainbow,DC=local
ldap_default_authtok_type = password
ldap_default_authtok = **************
default_shell = /bin/bash
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = L_Rainbow_SSH_Admins
auth_provider = proxy
proxy_pam_target = sssdauthproxy
End Content of /etc/sssd/sssd.conf -------------------------------
Content of sssdauthproxy -------------------------------------
auth required pam_warn.so
auth required pam_radius_auth.so
End Content of sssdauthproxy -------------------------------------
Note that I added pam_warn.so right before pam_sss.so, the output shows the difference in
users:
Apr 24 17:16:58 SAclt001 sshd[15553]: pam_warn(sshd:auth): function=[pam_sm_authenticate]
service=[sshd] terminal=[ssh] user=[stranger(a)rainbow.local] ruser=[<unknown>]
rhost=[bbb.bbb.bbb.bb]
Apr 24 17:16:58 SAclt001 proxy_child: pam_warn(sssdauthproxy:auth):
function=[pam_sm_authenticate] service=[sssdauthproxy] terminal=[ssh] user=[stranger]
ruser=[] rhost=[bbb.bbb.bbb.bb]
Thanks for reading that far!
5:59 a.m.
New subject: Is it possible to use the full username+domain name when using proxy_pam_target ?
On Wed, Apr 24, 2019 at 09:21:08PM -0000, David Fournier wrote:
I've been tasked with adding two-factor authentication to one of
our servers that will be exposed to the net. Requirements include using an existing 2FA
system which uses RADIUS for authentication, and that users from both the client domain
(unicorn.local) and the management domain (rainbow.local) can log in. The RADIUS server is
the same for both domains.
I believed I could use sssd with auth_provider = proxy and then specify my RADIUS pam
module in the proxy_pam_target, however after running tests it appears that sssd only
provides the username part of the fully qualified username to proxy_pam_target (i.e. if
the user is 'stranger(a)rainbow.local', only 'stranger' is passed to the
modules specified in proxy_pam_target).
Is there a way/switch/configuration option that I would have missed that would allow
passing the full username to my pam target?
Hi,
I'm sorry there is no such switch or options. Currently SSSD explicitly
uses a short name (without the '@...' part) because typically other PAM
modules are confused by this type of name.
Feel free to open a RFE on https://pagure.io/SSSD/sssd/ to add an optino
to use the unmodified name from the login prompt here.
If you are interested in trying it on your own have a look at
src/providers/proxy/proxy_child.c:
212 ret = sss_parse_internal_fqname(auth_data, pd->user, &shortname, NULL);
213 if (ret != EOK) {
214 goto fail;
215 }
216
217 ret = pam_start(pam_target, shortname, &conv, &pamh);
218 if (ret == PAM_SUCCESS) {
If you replace 'shortname' in line 217 with 'pd->user' it might
already
work. Even better would be 'pd->logon_name' because this contains the
unmodified name given at the login prompt. But here you have to add this
member to the PAM data send and received in
src/sss_iface/sss_iface_types.c which is a bit more complicated.
bye,
Sumit
>
>
> Content of /etc/sssd/sssd.conf -------------------------------
>
> [sssd]
> domains = unicorn.local,rainbow.local
> config_file_version = 2
> services = nss, pam
> full_name_format = %1$s@%2$s
>
> [domain/unicorn.local]
> id_provider = ldap
> ldap_id_mapping = True
> ldap_schema = AD
> ldap_group_nesting_level = 8
> ldap_uri = ldap://pradad1001.unicorn.local
> ldap_search_base = dc=unicorn,dc=local
> ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=unicorn,DC=local
> ldap_default_authtok_type = password
> ldap_default_authtok = *************
>
> default_shell = /bin/bash
> use_fully_qualified_names = True
> fallback_homedir = /home/%u@%d
> access_provider = simple
> simple_allow_groups = L_Unicorn_SSH_Admins
> auth_provider = proxy
> proxy_pam_target = sssdauthproxy
>
> [domain/rainbow.local]
> id_provider = ldap
> ldap_id_mapping = True
> ldap_schema = AD
> ldap_group_nesting_level = 8
> ldap_uri = ldap://otherad2001.rainbow.local
> ldap_search_base = dc=rainbow,dc=local
> ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=rainbow,DC=local
> ldap_default_authtok_type = password
> ldap_default_authtok = **************
>
> default_shell = /bin/bash
> use_fully_qualified_names = True
> fallback_homedir = /home/%u@%d
> access_provider = simple
> simple_allow_groups = L_Rainbow_SSH_Admins
> auth_provider = proxy
> proxy_pam_target = sssdauthproxy
>
> End Content of /etc/sssd/sssd.conf -------------------------------
>
> Content of sssdauthproxy -------------------------------------
> auth required pam_warn.so
> auth required pam_radius_auth.so
> End Content of sssdauthproxy -------------------------------------
>
> Note that I added pam_warn.so right before pam_sss.so, the output shows the
difference in users:
>
> Apr 24 17:16:58 SAclt001 sshd[15553]: pam_warn(sshd:auth):
function=[pam_sm_authenticate] service=[sshd] terminal=[ssh] user=[stranger(a)rainbow.local]
ruser=[<unknown>] rhost=[bbb.bbb.bbb.bb]
> Apr 24 17:16:58 SAclt001 proxy_child: pam_warn(sssdauthproxy:auth):
function=[pam_sm_authenticate] service=[sssdauthproxy] terminal=[ssh] user=[stranger]
ruser=[] rhost=[bbb.bbb.bbb.bb]
>
> Thanks for reading that far!
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
9:29 a.m.
New subject: Is it possible to use the full username+domain name when using proxy_pam_target ?
On Wed, Apr 24, 2019 at 09:21:08PM -0000, David Fournier wrote:
Hi,
I'm sorry there is no such switch or options. Currently SSSD explicitly
uses a short name (without the '@...' part) because typically other PAM
modules are confused by this type of name.
Feel free to open a RFE on https://pagure.io/SSSD/sssd/ to add an optino
to use the unmodified name from the login prompt here.
If you are interested in trying it on your own have a look at
src/providers/proxy/proxy_child.c:
212 ret = sss_parse_internal_fqname(auth_data, pd->user, &shortname, NULL);
213 if (ret != EOK) {
214 goto fail;
215 }
216
217 ret = pam_start(pam_target, shortname, &conv, &pamh);
218 if (ret == PAM_SUCCESS) {
If you replace 'shortname' in line 217 with 'pd->user' it might
already
work. Even better would be 'pd->logon_name' because this contains the
unmodified name given at the login prompt. But here you have to add this
member to the PAM data send and received in
src/sss_iface/sss_iface_types.c which is a bit more complicated.
bye,
Sumit
Thank you very much Sumit, I'll open an RFE and will definitely try the modification
you suggest. I'll report the results once it's done.
For now I'm using a workaround where we created a PAM module that appends the domain
name to the user, which we insert at the top of our proxy_pam_target file. The downside is
that we need a different proxy_pam_target configuration for every domain. A switch within
sssd configuration file would be nicer.
Thanks again for your precise answer!
1810
days inactive
1822
days old
sssd-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
David Fournier -
Sumit Bose