I've been tasked with adding two-factor authentication to one of our servers that will be exposed to the net. Requirements include using an existing 2FA system which uses RADIUS for authentication, and that users from both the client domain (unicorn.local) and the management domain (rainbow.local) can log in. The RADIUS server is the same for both domains.
I believed I could use sssd with auth_provider = proxy and then specify my RADIUS pam module in the proxy_pam_target, however after running tests it appears that sssd only provides the username part of the fully qualified username to proxy_pam_target (i.e. if the user is 'stranger@rainbow.local', only 'stranger' is passed to the modules specified in proxy_pam_target).
Is there a way/switch/configuration option that I would have missed that would allow passing the full username to my pam target?
Content of /etc/sssd/sssd.conf -------------------------------
[sssd] domains = unicorn.local,rainbow.local config_file_version = 2 services = nss, pam full_name_format = %1$s@%2$s
[domain/unicorn.local] id_provider = ldap ldap_id_mapping = True ldap_schema = AD ldap_group_nesting_level = 8 ldap_uri = ldap://pradad1001.unicorn.local ldap_search_base = dc=unicorn,dc=local ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=unicorn,DC=local ldap_default_authtok_type = password ldap_default_authtok = *************
default_shell = /bin/bash use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = L_Unicorn_SSH_Admins auth_provider = proxy proxy_pam_target = sssdauthproxy
[domain/rainbow.local] id_provider = ldap ldap_id_mapping = True ldap_schema = AD ldap_group_nesting_level = 8 ldap_uri = ldap://otherad2001.rainbow.local ldap_search_base = dc=rainbow,dc=local ldap_default_bind_dn = CN=linuxldap,CN=Users,DC=rainbow,DC=local ldap_default_authtok_type = password ldap_default_authtok = **************
default_shell = /bin/bash use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = L_Rainbow_SSH_Admins auth_provider = proxy proxy_pam_target = sssdauthproxy
End Content of /etc/sssd/sssd.conf -------------------------------
Content of sssdauthproxy ------------------------------------- auth required pam_warn.so auth required pam_radius_auth.so End Content of sssdauthproxy -------------------------------------
Note that I added pam_warn.so right before pam_sss.so, the output shows the difference in users:
Apr 24 17:16:58 SAclt001 sshd[15553]: pam_warn(sshd:auth): function=[pam_sm_authenticate] service=[sshd] terminal=[ssh] user=[stranger@rainbow.local] ruser=[<unknown>] rhost=[bbb.bbb.bbb.bb] Apr 24 17:16:58 SAclt001 proxy_child: pam_warn(sssdauthproxy:auth): function=[pam_sm_authenticate] service=[sssdauthproxy] terminal=[ssh] user=[stranger] ruser=[] rhost=[bbb.bbb.bbb.bb]
Thanks for reading that far!