Hi,
I pulled the unofficial 1.15.1 el6 sssd and installed it today on a host where RSA securid is used ( RSA + openldap) . I am trying to log in to the server and I am getting ( please note pam_unix fails but that's fine as we use ldap ) :
Mar 9 09:17:38 barni sshd[7597]: error: PAM: Authentication failure for abcd from X.Y.86.223 Mar 9 09:17:38 barni sshd[7597]: Connection closed by X.Y.86.223 port 40924 [preauth] Mar 9 09:18:04 barni sshd[8012]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223 user=abcd Mar 9 09:18:04 barni sshd[8012]: pam_sss(*sshd:auth*): received for user abcd: *7 (Authentication failure)* Mar 9 09:18:04 barni sshd[8012]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223 user=abcd
I have reverted to 1.14.2 and it magically works :) Is there any functionality changed from 1.15.1 to 1.14.2 before I start enabling debugging and go through the logs ? The only service needing 2FA is sshd so I use a separate system-auth-ac file. With 1.15.1 I get propted for 2FA each time so it does not go to LDAP password:
*1.14.2:* [gvasiliu@localhost Downloads]$ ssh -q barni Enter SecureKey: *Password: *
*1.15.1:* [gvasiliu@localhost Downloads]$ ssh -q barni Enter SecureKey: Enter SecureKey:
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html#
Could this be related to https://pagure.io/SSSD/sssd/issue/2984 ?
root@barni[*/etc/pam.d*]# cat *sshd* #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so
root@barni[*/etc/pam.d*]# cat *system-auth-ac_new* #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Thank you
On Thu, Mar 09, 2017 at 10:12:09AM -0500, Mario Rossi wrote:
Hi,
I pulled the unofficial 1.15.1 el6 sssd and installed it today on a host where RSA securid is used ( RSA + openldap) . I am trying to log in to the server and I am getting ( please note pam_unix fails but that's fine as we use ldap ) :
Mar 9 09:17:38 barni sshd[7597]: error: PAM: Authentication failure for abcd from X.Y.86.223 Mar 9 09:17:38 barni sshd[7597]: Connection closed by X.Y.86.223 port 40924 [preauth] Mar 9 09:18:04 barni sshd[8012]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223 user=abcd Mar 9 09:18:04 barni sshd[8012]: pam_sss(*sshd:auth*): received for user abcd: *7 (Authentication failure)* Mar 9 09:18:04 barni sshd[8012]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=X.Y.86.223 user=abcd
I have reverted to 1.14.2 and it magically works :) Is there any functionality changed from 1.15.1 to 1.14.2 before I start enabling debugging and go through the logs ? The only service needing 2FA is sshd so I use a separate system-auth-ac file. With 1.15.1 I get propted for 2FA each time so it does not go to LDAP password:
*1.14.2:* [gvasiliu@localhost Downloads]$ ssh -q barni Enter SecureKey: *Password: *
*1.15.1:* [gvasiliu@localhost Downloads]$ ssh -q barni Enter SecureKey: Enter SecureKey:
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.15.0 https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_1.html#
Could this be related to https://pagure.io/SSSD/sssd/issue/2984 ?
yes, this is possible. Please try to add 'prompt_always' to the pam_sss auth line like
auth sufficient pam_sss.so prompt_always
to tell pam_sss to prompt again for the password although there is one already on the stack.
HTH
bye, Sumit
root@barni[*/etc/pam.d*]# cat *sshd* #%PAM-1.0 auth required pam_securid.so reserve auth include system-auth-ac_new account required pam_nologin.so account include system-auth-ac_new password include system-auth-ac_new session optional pam_keyinit.so force revoke session include system-auth-ac_new session required pam_loginuid.so
root@barni[*/etc/pam.d*]# cat *system-auth-ac_new* #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient pam_sss.so auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so #account required pam_access.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password sufficient pam_sss.so use_authtok password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so
session optional pam_sss.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so
Thank you
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Mario Rossi -
Sumit Bose