pam-oauth2 icon indicating copy to clipboard operation
pam-oauth2 copied to clipboard

Published 20 hours ago verified publisher icon CyberDem0n

pam-oauth2 with keycloak server

Open adisheshsm opened this issue 6 years ago • 5 comments

Hi,

I am trying SSH to a server using this PAM module. keycloak server Token end point is http://localhost:8080/auth/realms/demo/protocol/openid-connect/token

do you have any example PAM configuration for using keycloak for authentication.

Thanks and regards, Adishesh

adisheshsm avatar Jan 31 '19 15:01 adisheshsm

Hi,

I think you should read https://github.com/CyberDem0n/pam-oauth2/issues/2, it has a lot of useful information.

CyberDem0n avatar Feb 13 '19 12:02 CyberDem0n

Hi @adisheshsm did you solve this? Could you share the solution?

Thanks in advance

einar-lanfranco avatar Mar 04 '21 01:03 einar-lanfranco

Just for people in the same situation, i follow https://blog.please-open.it/openvpn-keycloak/ and it is working!

einar-lanfranco avatar Mar 08 '21 19:03 einar-lanfranco

Hi!

I know this an old post but I am struggling to set up Keycloak with OpenVPN. I followed the tutorial listed here. The only thing I did different from the tutorial was to run export GO111MODULE=on before go get github.com/shimt/pam-exec-oauth2 because of Go changed the behave in latest versions. And instead of cp go/bin/pam-exec-oauth2 $PREFIX/pam-exec-oauth2 I ran cp /root/bin/pam-exec-oauth2 $PREFIX/pam-exec-oauth2.

If I run

curl --location --request POST 'https://*****/auth/realms/*****/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=*****' \
--data-urlencode 'client_secret=*****' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=*****' \
--data-urlencode 'password=*****'

I get

{"access_token":"*****","expires_in":300,"refresh_expires_in":1800,"refresh_token":"*****",
"token_type":"Bearer","not-before-policy":0,"session_state":"*****","scope":"profile email"}

I noted that I can't run it if OTP is enabled. (If you could help with that I would be imensilly grateful too.) For the sake of simplicity, I disabled 2FA to make it work with curl and I think the authentication is working because the response gives me a token.

I have:

cat /usr/share/libpam-script/pam_script_auth
#!/bin/bash
adduser $PAM_USER --disabled-password --quiet --gecos ""

like the tutorial suggests, but I am not sure how correct this would be if usernames are e-mail addresses as in the example there are no special characters in the username. I added a user manually via OpenVPN UI as well.

cat $PREFIX/pam-exec-oauth2.yaml
{
    client-id: "*****",
    client-secret: "*****",
    scopes: ["profile"],
    endpoint-token-url: "https://*****/auth/realms/*****/protocol/openid-connect/token",
    extra-parameters: {
    },
}

Yet, using the same credentials of the curl above I can't log in:

… [stdout#info] Web login authentication failed: {\'status\': 1, \'user\': \'*****\', \'reason\': "PAM auth failed: b\'Authentication failure\'"}'
… [stdout#info] Web login failed (twisted.cred.error.UnauthorizedLogin)'
… [stdout#info] CPage WebException in CLogin/auth: 'Login failed' (None)"

Can someone please tell me what am I missing? I am stuck on this for a few days.

This might also be helpful. The tutorial wasn't very clear where I should add those lines, so I added them to the very end of the file (the last 2 lines):

cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth	sufficient                      pam_script.so
auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so
# end of pam-auth-update config

auth sufficient pam_exec.so expose_authtok /opt/pam-exec-oauth2/pam-exec-oauth2
auth optional pam_script.so

Should I remove the other lines starting with auth?! /opt/pam-exec-oauth2/pam-exec-oauth2 exists.

find / -name pam_script.so
/usr/lib/security/pam_script.so

Thanks a lot!

thiagorossi avatar Mar 02 '22 20:03 thiagorossi

Hi @thiagorossi did you solve the problem. I was encountered the same problem and When i change the position of the scripts w.r.t. already existing scripts the problem is solved. But for now i was able to authenticate the keycloak server with the password, and when i try to give the access token instead it gives me an authentication error... Any solution or suggestions must be valuable. Thanks..

sreeragpb0 avatar Jun 02 '22 08:06 sreeragpb0