I am stuck at getting two factor-authentication in CentOS 7 to work; specifically the authentication via SSH and OTP.
I would very much appreciate it if someone could assist me with this. :)
Edit: As I understand it from the log below, the pam module asks the RADIUS-Server for authentication, the server responds with code 11 so that the pam-module challenges the user for an OTP but instead the module just says "authentication failed". So the client should be the problem, right?
Here is a log of an attempt to login via SSH with the account "[email protected]":
sshd[3652]: pam_radius_auth: Got user name [email protected] sshd[3652]: pam_radius_auth: ignore last_pass, force_prompt set sshd[3652]: pam_radius_auth: Sending RADIUS request code 1 sshd[3652]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fa56490e1c0. sshd[3652]: pam_radius_auth: Got RADIUS response code 11 sshd[3652]: pam_radius_auth: authentication failed sshd[3652]: pam_sepermit(sshd:auth): Parsing config file: /etc/security/sepermit.conf sshd[3652]: pam_sepermit(sshd:auth): Enforcing mode, access will be allowed on match sshd[3652]: pam_sepermit(sshd:auth): sepermit_match returned: -1 sshd[3652]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.0.31 [email protected] sshd[3652]: Failed password for [email protected] from 10.0.0.31 port 57962 ssh2 sshd[3652]: Connection closed by 10.0.0.31 [preauth] Below follow Configuration- and Setup-Infos
The test-environment is given by my companys infrastructure; we mainly use Windows-Clients and about the same share of Windows- and Linux-Servers.
Win-Server: Windows Server 2016 x64
- Active Directory: Test.local
- ESET Secure Authentication (RADIUS Server)
- Shared Secret with Client: test345
- Option "Use Access-Challenge feature of RADIUS" is enabled
Linux-Client/Server: CentOS 7.3 x64
- joined Domain Test.local via realm
- Local Login with AD-Accounts and OTP-2FA at all times possible
- SSH Login with any Account only possible if pam_radius_auth.so not set to required in /etc/pam.d/sshd (which means no 2FA)
Configuration of the Linux-Client/Server:
- RADIUS-Server and Shared-Secret are added in /etc/raddb/server
- pam_radius_auth.so is in /usr/lib64/security/
- auth required pam_radius_auth.so added to /etc/pam.d/sshd and /etc/pam.d/login
/etc/pam.d/login
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth auth include postlogin auth sufficient pam_radius_auth.so account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so /etc/pam.d/sshd
#%PAM-1.0 auth required pam_radius_auth.so debug auth required pam_sepermit.so debug auth substack password-auth debug auth include postlogin debug # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session include password-auth session include postlogin # Used with polkit to reauthorize users in remote sessions -session optional pam_reauthorize.so prepare /etc/raddb/server
# server[:port] shared_secret timeout (s) 10.0.0.1 test345 5 