[Freeipa-users] key + 2FA (password+OTP) is not working

Alexander Bokovoy abokovoy at redhat.com
Fri Sep 23 09:06:24 UTC 2016 

On Fri, 23 Sep 2016, Deepak Dimri wrote:
>Hi Alexander,  I am using AWS to do a pilot on freeIPA & unfortunately
>AWS does not provide fedora or centos as part of its freetier setup so
>i have to live with ubuntu, redhat , suse etc.  I have same problem
>with ubuntu and redhat though!
CentOS 7 is available and eligible for free tier:
https://aws.amazon.com/marketplace/pp/B00O7WM7QW


>Just one basic question.. what are the steps i should be following to
>make it work assuming i am trying on centos or fedora
Literally what you describe in your setup, except that 'passwod:pam'
seems to be broken in OpenSSH -- given that you are using PAM already
for password checks, removing :pam should just work. It works for me
with

Match Group twofa
   AllowGroups twofa
   AuthenticationMethods publickey,password publickey,keyboard-interactive

as the last statement in the sshd_config.

Sep 23 11:55:50 f24-master.ipa.ad.test sshd[2965]: debug3: monitor_child_preauth: method publickey: partial
...
Sep 23 11:56:07 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: sshpam_passwd_conv called with 2 messages
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foobar at IPA.AD.TEST: request received
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foobar at IPA.AD.TEST: user query start
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foobar at IPA.AD.TEST: user query end: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foobar at IPA.AD.TEST: bind start: uid=foobar,cn=users,cn=accounts,dc=ipa,dc=ad,dc=test
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foobar at IPA.AD.TEST: bind end: success
Sep 23 11:56:08 f24-master.ipa.ad.test ipa-otpd[2892]: foobar at IPA.AD.TEST: response sent: Access-Accept
Sep 23 11:56:10 f24-master.ipa.ad.test audit[2965]: USER_AUTH pid=2965 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_succeed_if,pam_sss acct="foobar" exe="/usr/sbin/sshd" hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.5.136 user=foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: PAM: password authentication accepted for foobar
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_answer_authpassword: sending result 1
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send entering: type 13
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: auth2_update_methods_lists: updating methods list after "password"
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug2: authentication methods list 0 complete
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_receive_expect entering: type 102
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_receive entering
Sep 23 11:56:10 f24-master.ipa.ad.test sshd[2965]: debug1: do_pam_account: called
Sep 23 11:56:12 f24-master.ipa.ad.test audit[2965]: USER_ACCT pid=2965 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_sss,pam_permit acct="foobar" exe="/usr/sbin/sshd" hostname=192.168.5.136 addr=192.168.5.136 terminal=ssh res=success'
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug3: mm_request_send entering: type 103
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: Accepted password for foobar from 192.168.5.136 port 33466 ssh2
Sep 23 11:56:12 f24-master.ipa.ad.test sshd[2965]: debug1: monitor_child_preauth: foobar has been authenticated by privileged process

The first line above says that publickey method was successful but not
enough to allow login (partial) because password is also required. The
client got a request to enter password+OTP value. As you can see the user is only
allowed to login with an OTP token.

$ ssh foobar at 192.168.5.117
foobar at 192.168.5.117's password: 
Last login: Fri Sep 23 11:49:17 2016
-sh-4.3$ id
uid=903200044(foobar) gid=903200044(foobar) groups=903200044(foobar),903200046(twofa) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-sh-4.3$ klist
Ticket cache: KEYRING:persistent:903200044:krb_ccache_Dk553LV
Default principal: foobar at IPA.AD.TEST

Valid starting       Expires              Service principal
09/23/2016 11:56:08  09/24/2016 11:56:08  krbtgt/IPA.AD.TEST at IPA.AD.TEST

-sh-4.3$ ipa user-show foobar
  User login: foobar
  First name: Test
  Last name: Foo
  Home directory: /home/foobar
  Login shell: /bin/sh
  Principal name: foobar at IPA.AD.TEST
  Principal alias: foobar at IPA.AD.TEST
  Email address: foobar at ipa.ad.test
  UID: 903200044
  GID: 903200044
  User authentication types: otp
  Account disabled: False
  Password: True
  Member of groups: twofa, ipausers
  Kerberos keys available: True

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list