[prev in list] [next in list] [prev in thread] [next in thread]
List: sssd-users
Subject: =?utf-8?q?=5BSSSD-users=5D?= Re: sssd with OTP does not work in all cases.
From: Asif Iqbal <vadud3 () gmail ! com>
Date: 2017-10-27 15:35:09
Message-ID: CAOHBbgU2jfoj7hk=vFXfFi9XnhrKMEScQcsczs5M+CgEnOSBLw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I am using centos 7.
What are you using your auth_provider ?
Here is my config today. Once it is working I will make sure puppet keeps
it in line and if gets overwritten by authconfig. But I need to first make
sure if is working, which is not the case today.
$ cat /etc/sssd/sssd.conf
...
*auth_provider = proxy *
*proxy_pam_target = securid*
...
$ cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
*auth substack password-auth*
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_exec.so /usr/local/bin/apply-quota.sh
#session optional pam_exec.so log=/tmp/pam_exec.log
/usr/local/bin/ipsystems.sh
session optional pam_exec.so /usr/local/bin/ipsystems.sh
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
$ cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [default=1 success=ok] pam_localuser.so
auth [success=done ignore=ignore default=die] pam_unix.so nullok
try_first_pass
auth requisite pam_succeed_if.so uid >= 999 quiet_success
*auth sufficient pam_sss.so forward_pass*
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
$ cat /etc/pam.d/securid
*auth sufficient pam_radius_auth.so*
There is no reserve option for pam_radius_auth. I am using pam_radius_auth
to connect to my RSA securid server
and it has been working on all my solaris, ubuntu, centos for last 15+ yrs.
These are the only options available
https://github.com/FreeRADIUS/pam_radius/blob/master/USAGE
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi <mrossi@hostopia.com> wrote:
> What OS are you using ? I am using Centos 6 with RSA ( fixed password +
> PIN ) + sssd/ldap auth , so yes, that does give you BOTH prompts, one for
> RSA and one for LDAP. If you need to ONLY use RSA w account lookup from
> sssd/ldap, then you have to comment out the auth line related to
> system-auth-ac in /etc/pam.d/sshd. You also have to be careful what umask
> are you using, make sure file perms is set to 0644 . Also if you run
> authconfig to manage /etc/pam.d, your files may be overwritten, so you may
> need to import custom setting into your deployment system i.e.
> puppet/ansible.
>
> Have you set *ChallengeResponseAuthentication* to yes in
> /etc/ssh/sshd_config ?
>
> Example of a system that uses RSA for sshd , so you get *only one*
> password prompt:
>
> $ cat /etc/pam.d/sshd
> #%PAM-1.0
> auth required pam_securid.so reserve
> *#auth include system-auth-ac*
> account required pam_nologin.so
> account include system-auth-ac
> password include system-auth-ac
> session optional pam_keyinit.so force revoke
> session include system-auth-ac
> session required pam_loginuid.so
>
> $ cat */etc/pam.d/system-auth-ac *
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session optional pam_mkhomedir.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
>
> On 10/27/2017 10:27 AM, Asif Iqbal wrote:
>
> This setup also failed miserably where pam.d/sshd first two lines like
> below
>
> auth required pam_securid.so
> auth include system-auth-ac_new
>
> And using your pam.d/system-auth-ac_new
>
> So it does give you the right prompt 'Enter SMS Token:' when just put PIN
> at first login prompt. But after putting SMS token on the next prompt
> it goes back to Password: prompt again. Even worse is now it does not even
> work with giving both PIN and TokenCode at the first prompt either.
>
> Any other suggestion? Does anyone work with SSS and OTP at all?
>
> Seems like I should just not use sss since OTP is a *must* requirement.
>
>
>
>
>
> On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <mrossi@hostopia.com> wrote:
>
>>
>> My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your
>> users, the easiest would be to configure sd_pam.conf to use a different
>> prompt for RSA.
>>
>> $ egrep ^AUTH /etc/sd_pam.conf
>> AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
>> AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root
>> :
>> AUTH_CHALLENGE_PASSCODE_STR=Enter SecureKey :
>> AUTH_CHALLENGE_PASSWORD_STR=Enter your SecureKey :
>>
>> Now back to your question, I believe you need to define a new system-auth
>> file to be used, in my case
>> system-auth-ac_new with custom pam config. This is a working rsa + sssd
>> (openldap ) setup, I am not sure about proxy as I haven't used it before.
>>
>>
>> $ cat /etc/pam.d/sshd
>> #%PAM-1.0
>> auth required pam_securid.so reserve
>> auth include system-auth-ac_new
>> account required pam_nologin.so
>> account include system-auth-ac_new
>> password include system-auth-ac_new
>> session optional pam_keyinit.so force revoke
>> session include system-auth-ac_new
>> session required pam_loginuid.so
>>
>> $ cat /etc/pam.d/system-auth-ac_new
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth sufficient pam_sss.so
>> auth required pam_env.so
>> auth sufficient pam_unix.so nullok try_first_pass
>> auth requisite pam_succeed_if.so uid >= 500 quiet
>> auth required pam_deny.so
>>
>> account [default=bad success=ok user_unknown=ignore] pam_sss.so
>> #account required pam_access.so
>> account required pam_unix.so broken_shadow
>> account sufficient pam_localuser.so
>> account sufficient pam_succeed_if.so uid < 500 quiet
>> account required pam_permit.so
>>
>> password sufficient pam_sss.so use_authtok
>> password requisite pam_cracklib.so try_first_pass retry=3 type=
>> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
>> use_authtok
>> password required pam_deny.so
>>
>> session optional pam_sss.so
>> session optional pam_keyinit.so revoke
>> session required pam_limits.so
>> session optional pam_mkhomedir.so
>> session [success=1 default=ignore] pam_succeed_if.so service in crond
>> quiet use_uid
>> session required pam_unix.so
>>
>> On 10/26/2017 07:34 PM, Asif Iqbal wrote:
>>
>> With pam_securid.so
>>
>> I can on /etc/pam.d/sshd
>>
>> auth sufficient pam_securid.so
>>
>> and at ssh login, I just put PIN at Password: prompt and then I get Enter
>> SMS Token: prompt and I can then put the
>> tokencode and I can ssh into the server fine.
>>
>> If I do the same with pam_sss.so it keeps asking for Password: and never
>> changes the prompt to Enter SMS Token: and ssh fails badly.
>> At this second Password: prompt I tried with just tokencode (at 18:45:34
>> in log below) or PIN and tokencode (at 18:47:55). Neither let
>> me in and failed eventually.
>>
>> I think it is because pam_sss -> proxy -> securid -> pam_securd is
>> failing to handle PAM conversation?
>>
>> Is there a way to fix that to so pam_sss to behave the right way and let
>> authenticate in two steps with PIN and then TokenCode on next step?
>>
>> Also without this PAM conversation, when the PIN expires it will not let
>> you update it. With simple pam.d/sshd and auth sufficient pam_securid.so
>> that works very well as well.
>>
>> I have sssd.conf setup like this
>> auth_server = proxy
>> proxy_target_pam = securid
>>
>> And in pam.d/securid file
>> auth sufficient pam_securid.so
>>
>> Here are some log http://dpaste.com/2HD27XH.txt where
>> I tried with PIN at first Password: prompt and then TokenCode at
>> second Password: prompt at 18:45:34 and failed to login
>> And
>> I tried with PIN at first Password: prompt and then PIN and TokenCode
>> at second Password: prompt at 18:47:55 and failed to login
>>
>> I tried with SElinux off and on and same result
>>
>> If I put PIN and TokenCode at the first Password: prompt, login works
>> fine . I did not put any log for that here.
>>
>> Any suggestion how to fix pam_sss for OTP?
>>
>> Thanks!
>>
>>
>>
>>
>>
>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>>
>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
>>
>>
>>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
>
>
--
Asif Iqbal
[Attachment #5 (text/html)]
<div dir="ltr">I am using centos 7. <div><br></div><div>What are you using your \
auth_provider ?</div><div><br></div><div>Here is my config today. Once it is working \
I will make sure puppet keeps it in line and if gets overwritten by authconfig. But I \
need to first make sure if is working, which is not the case today. \
</div><div><br></div><div>$ cat \
/etc/sssd/sssd.conf<br></div><div>...</div><div><div><br></div><div><b>auth_provider \
= proxy </b></div><div><b>proxy_pam_target = \
securid</b></div><div>...</div></div><div><div><br></div><div>$ cat /etc/pam.d/sshd \
</div><div>#%PAM-1.0</div><div>auth<span style="white-space:pre"> </span> \
required<span style="white-space:pre"> </span>pam_sepermit.so</div><div><b>auth \
substack password-auth</b></div><div>auth include \
postlogin</div><div># Used with polkit to reauthorize users in remote \
sessions</div><div>-auth optional pam_reauthorize.so \
prepare</div><div>account required pam_nologin.so</div><div>account \
include password-auth</div><div>password include \
password-auth</div><div># pam_selinux.so close should be the first session \
rule</div><div>session required pam_selinux.so close</div><div>session \
required pam_loginuid.so</div><div># pam_selinux.so open should only be \
followed by sessions to be executed in the user context</div><div>session \
required pam_selinux.so open env_params</div><div>session required \
pam_namespace.so</div><div>session optional pam_keyinit.so force \
revoke</div><div>session optional pam_exec.so \
/usr/local/bin/apply-quota.sh</div><div>#session optional pam_exec.so \
log=/tmp/pam_exec.log /usr/local/bin/ipsystems.sh</div><div>session optional \
pam_exec.so /usr/local/bin/ipsystems.sh</div><div>session include \
password-auth</div><div>session include postlogin</div><div># Used with \
polkit to reauthorize users in remote sessions</div><div>-session optional \
pam_reauthorize.so prepare</div></div><div><br></div><div><div>$ cat \
/etc/pam.d/password-auth</div><div>#%PAM-1.0</div><div># This file is \
auto-generated.</div><div># User changes will be destroyed the next time authconfig \
is run.</div><div>auth required pam_env.so</div><div>auth \
[default=1 success=ok] pam_localuser.so</div><div>auth [success=done \
ignore=ignore default=die] pam_unix.so nullok try_first_pass</div><div>auth \
requisite pam_succeed_if.so uid >= 999 quiet_success</div><div><b>auth \
sufficient pam_sss.so forward_pass</b></div><div>auth required \
pam_deny.so</div><div><br></div><div>account required \
pam_unix.so</div><div>account sufficient \
pam_localuser.so</div><div>account sufficient pam_succeed_if.so uid < \
1000 quiet</div><div>account [default=bad success=ok user_unknown=ignore] \
pam_sss.so</div><div>account required \
pam_permit.so</div><div><br></div><div>password requisite \
pam_pwquality.so try_first_pass local_users_only retry=3 \
authtok_type=</div><div>password sufficient pam_unix.so sha512 shadow \
nullok try_first_pass use_authtok</div><div>password sufficient pam_sss.so \
use_authtok</div><div>password required \
pam_deny.so</div><div><br></div><div>session optional pam_keyinit.so \
revoke</div><div>session required pam_limits.so</div><div>-session \
optional pam_systemd.so</div><div>session optional \
pam_oddjob_mkhomedir.so umask=0077</div><div>session [success=1 \
default=ignore] pam_succeed_if.so service in crond quiet use_uid</div><div>session \
required pam_unix.so</div><div>session optional \
pam_sss.so</div></div><div><br></div><div><div>$ cat /etc/pam.d/securid \
</div><div><b>auth sufficient \
pam_radius_auth.so</b></div></div><div><br></div><div>There is no reserve option for \
pam_radius_auth. I am using pam_radius_auth to connect to my RSA securid \
server</div><div>and it has been working on all my solaris, ubuntu, centos for last \
15+ yrs.</div><div><br></div><div>These are the only options available <a \
href="https://github.com/FreeRADIUS/pam_radius/blob/master/USAGE">https://github.com/F \
reeRADIUS/pam_radius/blob/master/USAGE</a></div><div><br></div><div><br></div><div><br></div><div><br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 27, 2017 at 10:53 AM, \
Mario Rossi <span dir="ltr"><<a href="mailto:mrossi@hostopia.com" \
target="_blank">mrossi@hostopia.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#3333FF">
<font face="Calibri">What OS are you using ? I am using Centos 6
with RSA ( fixed password + PIN ) + sssd/ldap auth , so yes, that
does give you BOTH prompts, one for RSA and one for LDAP. If you
need to ONLY use RSA w account lookup from sssd/ldap, then you
have to comment out the auth line related to system-auth-ac in
/etc/pam.d/sshd. You also have to be careful what umask are you
using, make sure file perms is set to 0644 . Also if you run
authconfig to manage /etc/pam.d, your files may be overwritten, so
you may need to import custom setting into your deployment system
i.e. puppet/ansible. <br>
<br>
Have you set <b>ChallengeResponseAuthenticatio<wbr>n</b> to yes in
/etc/ssh/sshd_config ?<br>
<br>
Example of a system that uses RSA for sshd , so you get <b>only
one</b> password prompt:<span class=""><br>
<br>
$ cat /etc/pam.d/sshd<br>
#%PAM-1.0<br>
auth required pam_securid.so reserve<br>
</span><b>#auth include system-auth-ac</b><span \
class=""><br> account required pam_nologin.so<br>
account include system-auth-ac<br></span>
password include system-auth-ac<span class=""><br>
session optional pam_keyinit.so force revoke<br>
session include system-auth-ac<br></span><span class="">
session required pam_loginuid.so<br>
<br>
$ cat <b>/etc/pam.d/system-auth-ac </b><br></span><span class="">
#%PAM-1.0<br>
# This file is auto-generated.<br>
# User changes will be destroyed the next time authconfig is \
run.<br></span><span class=""> auth required pam_env.so<br>
auth sufficient pam_unix.so nullok try_first_pass<br>
auth requisite pam_succeed_if.so uid >= 500 \
quiet<br></span> auth sufficient pam_sss.so use_first_pass<br>
auth required pam_deny.so<br>
<br>
account required pam_unix.so<span class=""><br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 500 \
quiet<br></span> account [default=bad success=ok user_unknown=ignore]
pam_sss.so<br>
account required pam_permit.so<span class=""><br>
<br>
password requisite pam_cracklib.so try_first_pass retry=3
type=<br>
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok<br></span>
password sufficient pam_sss.so use_authtok<br>
password required pam_deny.so<br><span class="">
<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
session optional pam_mkhomedir.so<br>
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid<br>
session required pam_unix.so<br></span>
session optional pam_sss.so</font><div><div class="h5"><br>
<br>
<div class="m_4078540711508943992moz-cite-prefix">On 10/27/2017 10:27 AM, Asif \
Iqbal wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>This setup also failed miserably where pam.d/sshd first two
lines like below</div>
<div><br>
</div>
auth required pam_securid.so
<div>auth include system-auth-ac_new<br>
</div>
<div><br>
</div>
<div>And using your pam.d/system-auth-ac_new </div>
<div><br>
</div>
<div>So it does give you the right prompt 'Enter SMS Token:'
when just put PIN at first login prompt. But after putting SMS
token on the next prompt</div>
<div>it goes back to Password: prompt again. Even worse is now
it does not even work with giving both PIN and TokenCode at
the first prompt either.</div>
<div><br>
</div>
<div>Any other suggestion? Does anyone work with SSS and OTP at
all?</div>
<div><br>
</div>
<div>Seems like I should just not use sss since OTP is a *must*
requirement.</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Oct 26, 2017 at 8:54 PM, Mario
Rossi <span dir="ltr"><<a href="mailto:mrossi@hostopia.com" \
target="_blank">mrossi@hostopia.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex">
<div text="#3333FF" bgcolor="#FFFFFF"> <font face="Calibri"><br>
My 2c, having two 'Password:' prompts ( RSA + sssd )
will confuse your users, the easiest would be to
configure sd_pam.conf to use a different prompt for RSA.<br>
<br>
$ egrep ^AUTH /etc/sd_pam.conf <br>
AUTH_CHALLENGE_USERNAME_STR=En<wbr>ter USERNAME :<br>
AUTH_CHALLENGE_RESERVE_REQUEST<wbr>_STR=Please enter
System Password for root :<br>
AUTH_CHALLENGE_PASSCODE_STR=En<wbr>ter SecureKey :<br>
AUTH_CHALLENGE_PASSWORD_STR=En<wbr>ter your SecureKey :<br>
<br>
Now back to your question, I believe you need to define
a new system-auth file to be used, in my case </font><br>
<font face="Calibri"><font face="Calibri">system-auth-ac_new
with custom pam config. This is a working rsa + sssd
(openldap ) setup, I am not sure about proxy as I
haven't used it before. </font><br>
<br>
<br>
$ cat /etc/pam.d/sshd<br>
#%PAM-1.0<br>
auth required pam_securid.so reserve<br>
auth include system-auth-ac_new<br>
account required pam_nologin.so<br>
account include system-auth-ac_new<br>
password include system-auth-ac_new<br>
session optional pam_keyinit.so force revoke<br>
session include system-auth-ac_new<br>
session required pam_loginuid.so<br>
<br>
$ cat /etc/pam.d/system-auth-ac_new<br>
#%PAM-1.0<br>
# This file is auto-generated.<br>
# User changes will be destroyed the next time
authconfig is run.<br>
auth sufficient pam_sss.so<br>
auth required pam_env.so<br>
auth sufficient pam_unix.so nullok
try_first_pass<br>
auth requisite pam_succeed_if.so uid >=
500 quiet<br>
auth required pam_deny.so<br>
<br>
account [default=bad success=ok user_unknown=ignore]
pam_sss.so<br>
#account required pam_access.so<br>
account required pam_unix.so broken_shadow<br>
account sufficient pam_localuser.so<br>
account sufficient pam_succeed_if.so uid < 500
quiet<br>
account required pam_permit.so<br>
<br>
password sufficient pam_sss.so use_authtok<br>
password requisite pam_cracklib.so try_first_pass
retry=3 type=<br>
password sufficient pam_unix.so sha512 shadow
nullok try_first_pass use_authtok<br>
password required pam_deny.so<br>
<br>
session optional pam_sss.so<br>
session optional pam_keyinit.so revoke<br>
session required pam_limits.so<br>
session optional pam_mkhomedir.so<br>
session [success=1 default=ignore] pam_succeed_if.so
service in crond quiet use_uid<br>
session required pam_unix.so<br>
</font>
<div>
<div class="m_4078540711508943992h5"><br>
<div \
class="m_4078540711508943992m_7223380402299771470moz-cite-prefix">On 10/26/2017 \
07:34 PM, Asif Iqbal wrote:<br> </div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="m_4078540711508943992h5">
<div dir="ltr">With pam_securid.so
<div><br>
</div>
<div>I can on /etc/pam.d/sshd</div>
<div><br>
</div>
<div> auth sufficient pam_securid.so </div>
<div><br>
</div>
<div>and at ssh login, I just put PIN at Password:
prompt and then I get Enter SMS Token: prompt
and I can then put the </div>
<div>tokencode and I can ssh into the server fine.</div>
<div><br>
</div>
<div>If I do the same with pam_sss.so it keeps
asking for Password: and never changes the
prompt to Enter SMS Token: and ssh fails badly.</div>
<div>At this second Password: prompt I tried with
just tokencode (at 18:45:34 in log below) or PIN
and tokencode (at 18:47:55). Neither let</div>
<div>me in and failed eventually. </div>
<div><br>
</div>
<div>I think it is because pam_sss -> proxy
-> securid -> pam_securd is failing to
handle PAM conversation?</div>
<div><br>
</div>
<div>Is there a way to fix that to so pam_sss to
behave the right way and let authenticate in two
steps with PIN and then TokenCode on next step?</div>
<div><br>
</div>
<div>Also without this PAM conversation, when the
PIN expires it will not let you update it. With
simple pam.d/sshd and auth sufficient
pam_securid.so</div>
<div>that works very well as well.</div>
<div><br>
</div>
<div>I have sssd.conf setup like this</div>
<div> auth_server = proxy</div>
<div> proxy_target_pam = securid</div>
<div><br>
</div>
<div>And in pam.d/securid file </div>
<div> auth sufficient pam_securid.so</div>
<div><br>
</div>
<div>Here are some log <a href="http://dpaste.com/2HD27XH.txt" \
target="_blank">http://dpaste.com/2HD27XH.txt</a> where</div>
<div> I tried with PIN at first Password: prompt
and then TokenCode at second Password: prompt at
18:45:34 and failed to login</div>
<div>And</div>
<div> I tried with PIN at first Password: prompt
and then PIN and TokenCode at second Password:
prompt at 18:47:55 and failed to login</div>
<div><br>
</div>
<div>I tried with SElinux off and on and same
result</div>
<div><br>
</div>
<div>If I put PIN and TokenCode at the first
Password: prompt, login works fine . I did not
put any log for that here.</div>
<div><br>
</div>
<div>Any suggestion how to fix pam_sss for OTP?</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div><br>
</div>
<div> </div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br clear="all">
<div><br>
</div>
-- <br>
<div \
class="m_4078540711508943992m_7223380402299771470gmail_signature">Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" \
target="_blank">pgp.mit.edu</a><br> A: Because it messes up the order in which
people normally read text.<br>
Q: Why is top-posting such a bad thing?<br>
<br>
</div>
</div>
</div>
<br>
<fieldset \
class="m_4078540711508943992m_7223380402299771470mimeAttachmentHeader"></fieldset> \
<br> </div>
</div>
<pre>______________________________<wbr>_________________
sssd-users mailing list -- <a \
class="m_4078540711508943992m_7223380402299771470moz-txt-link-abbreviated" \
href="mailto:sssd-users@lists.fedorahosted.org" \
target="_blank">sssd-users@lists.fedorahosted.<wbr>org</a> To unsubscribe send an \
email to <a class="m_4078540711508943992m_7223380402299771470moz-txt-link-abbreviated" \
href="mailto:sssd-users-leave@lists.fedorahosted.org" \
target="_blank">sssd-users-leave@lists.fedorah<wbr>osted.org</a> </pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_4078540711508943992gmail_signature" \
data-smartmail="gmail_signature">Asif Iqbal<br>
PGP Key: 0xE62693C5 KeyServer: <a href="http://pgp.mit.edu" \
target="_blank">pgp.mit.edu</a><br> A: Because it messes up the order in which \
people normally read text.<br>
Q: Why is top-posting such a bad thing?<br>
<br>
</div>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature" data-smartmail="gmail_signature">Asif Iqbal<br><br><br></div> \
</div></div>
[Attachment #6 (text/plain)]
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic