pam_python icon indicating copy to clipboard operation
pam_python copied to clipboard

Published 20 hours ago verified publisher icon privacyidea

Allow distinction between password/keyboard-interactive

Open qlux opened this issue 4 years ago • 0 comments

When sshd is set to UsePAM, password authentication will use the PrivacyIdea pam module as well as the regular password authentication in a regular prompt without the custom text of the pam module. Forcing one mode instead of both would allow sshd to use 2 authentications like password,keyboard-interactive or publickey,keyboard-interactive and prompt for 2fa only during the keyboard-interactive phase and return PAM_AUTHINFO_UNAVAIL during keyboard phase.

In the common-auth configuration file, this would look like this:

auth    [default=ignore success=ok]          pam_localuser.so
auth    [success=3 authinfo_unavail=ignore default=die]      pam_python.so /path/privacyidea_pam.py url=https://localhost prompt=Enter_your_2FA_Token realm=myrealm
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
auth    [success=1 default=ignore]      pam_sss.so 
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so

This is inspired by the article : https://sudonull.com/post/73132-Experience-implementing-2fa-on-linux-with-duosecurity-QIWI-Blog in which the person inspects the response to get the difference between both modes.

qlux avatar Aug 13 '20 12:08 qlux