I'm running OpenVPN on a Centos 8 server and have it configured to use PAM authentication for users stored in an IPA server. The users are configured to require 2FA. Everything has been working as expected for several months. But recently our domain cert expired. After inserting the new cert into IPA, PAM authentication stopped working on the OpenVPN server.
Nothing in the logs pointed to anything conclusive so I assumed the IPA client running on the OpenVPN server may not be recognizing the new domain certs on the IPA server. So I uninstalled the IPA client on the OpenVPN server and then reinstalled it. Next I restarted the OpenVPN service, reconfigured sssd.conf and restarted sssd. I was now able to successfully authenticate as expected using a password + OTP token when initiating an OpenVPN connection.
But after rebooting the OpenVPN server, the PAM authentication is no longer requiring the 2FA token -- i.e. I can only initiate an OpenVPN connection with a password that does not include OTP token even though the user is configured to require 2FA. I repeated the same uninstall/reinstall steps and again password + 2FA token authentication worked as expected. But like before after reboot, the 2FA token authentication did not work.
After initially reinstalling the IPA ClientThe sssd log for sss_pam_preauth shows:
[pam] [pam_eval_prompting_config] (0x4000): Authentication types for
user [test55#ipa.mydomain.biz] and service [su]: password
two-factor
But after rebooting the sssd log for sss_pam_preauth shows:
[pam] [pam_eval_prompting_config] (0x4000): Authentication types for
user [test55#ipa.mydomain.biz] and service [su]: password
The sssd and pam config files are the same before and after reboot.
I'm at a loss to understand this behavior.
In my haste to repair the OpenVPN server I overlooked the sssd cache. The account I was using for testing at one time was not configured for 2FA.
It appears after reinstalling the IPA Client, authentication looked to the IPA server for sss_pam_preauth where the user is configured for 2FA. But after reboot sss_pam_preauth looked to the sssd cache where the user was not configured for 2FA.
So following the reboot I cleared the user from the sssd cache using the command sss_cache -u user1. With my next test, sss_pam_preauth could no longer find the user in the sssd cache and therefore looked to the IPA server which responded with a requirement for password + 2FA token as expected. I then rebooted the OpenVPN server again and sss_pam_preauth looked to the sssd cache where the user is now configured for 2FA.
The OpenVPN server is now working as expected.
Related
I have setup my LDAP server with user details. I have setup my Ubuntu laptop to authenticate users from LDAP. The problem is, every time user tries to log in, Ubuntu tries to reach LDAP servers to authenticate. So when network connection is out, it shows authentication failed. What I want is when user logs in first time, Ubuntu authenticates from LDAP, and creates a local user profile, and stores credential somewhere on local. So when network connection is not available, it authenticates against last used credentials. And when system connects back to internet, it authenticates against LDAP.
Please help me with this. Let me know if any clarifications are required.
I have created LDAP Server, and my ubuntu system is already authenticating users against LDAP. I want to store the LDAP credentials to a local user once the user logs in for the first time, so that these credentials can be used for authentication when network connection unavailable.
If you are using SSSD as the LDAP client, enable its built-in credential caching. Take a look at options cache_credentials (for auth) and cache_first (for account information) in the sssd.conf(5) manual page.
If you are using nslcd as the LDAP client, install pam_ccreds for authentication caching and nscd for account information caching.
I'm hosting my file server on GCP debian 10 virtual machine and I want to create passwordless user so people could publicly download files from his home directory.
So I created new user, removed his password with passwd -d username, changed /etc/ssh/sshd_config file so it would allow this exact user to login with empty password and set chroot jail, restarted ssh service.
Unfortunately, when I'm connection via ssh into this user it still prompts me with a password.
This setup was working on the old server, configs are definitly correct and user definitely does not have password. I guess google implemented some additionl protection that dosen't allow me to do what I want.
Maybe someone had already bumbed into the same problem before?
I reached the support and they said google doesn't support passwordless ssh connections.
I haven't really have had much experience with Kerberos but I am trying to set up SSH authentication with AD on one of my servers using sssd. I have followed the instructions on the sssd documentation here and got it working but I am struggling to understand why I need a keytab file to set this up?
I've been doing a bit of reading about Kerberos lately and it appears you only need to create a keytab file on the server when the server needs to authenticate to AD without user interaction or when you need to implement SSO (when a user requests a ticket for that service).
I simply want my users to enter their username / password when logging in via SSH and have sssd authenticate this user against AD and create a TGT ticket for them. The funny thing is - even when I don't setup sssd and only set up the kerberos side I can run kinit and I get a ticket!
So my question is this: Can I set up SSH authentication using sssd without generating a keytab file on the server? if not then why not?
Your question in the Subject line "What is the reason for a Kerberos keytab file when setting up SSH authentication on a server?" boils down to a one-line answer: it allows for Kerberos single sign-on authentication to the Directory server by de-crypting the inbound Kerberos service ticket to "tell" who the user is. As far as your other question, "Can I set up SSH authentication using sssd without generating a keytab file on the server?", the answer is yes, you can. But you will be prompted for a username or password whenever you connect to the SSH service, unless you choose to cache the password in whatever SSH utility you might be using to connect. Caching the password though, in such a method, is not considered to be "single sign-on".
For additional reference, you can read more about my article on Kerberos keytabs on Microsoft Technet: Kerberos Keytabs – Explained. I frequently go back and edit it based on questions I see here in this forum.
I am new to configuration of LDAP and Moodle. I installed the OpenLDAP 2.4.40 on Linux Centos 6 and configured it successfully using this link. Then I got to another Link which provides the configuration of LDAP Server Authentication on Moodle 3.2.
After implementing all the configuration, the login to the Moodle using a LDAP user is not working knowing that all the configurations are applied as documented in the above links.
I installed the Apache Directory Studio and configure the connection to the LDAP Server successfully. Hereafter is a snapshot of the LDAP Server Tree:
Then I got to the LDAP server installed in Linux thru using putty tool and run the "ldapsearch -x -LLL -b dc=sorce,dc=online" and it works fine.
My Moodle Authentication configuration parameters of LDAP Server are as follows:
Distinguished Name - bind user is set to the Root User:
cn=Manager,dc=sorce,dc=online User
Type: posixAccount (rfc2307)
Context is set to the "users" entry: ou=Users,dc=sorce,dc=online
All the passwords are double checked
However, after implementing all the above configurations, I`m still not able to connect to Moodle using LDAP Users, and I got the following error:
LDAP-module cannot connect to any servers: Server: '80.79.155.44', Connection: 'Resource id #82', Bind result: ''
My Moodle installation is hosted in a cloud account, the LDAP Server is installed in a local office server (Linux Centos 6), and the Apache Directory Studio is installed in my PC (Windows 7)
Any ideas regarding how I can make Moodle authenticate LDAP Users and login..please help?
Thanks in advance
For the SSO part of Moodle to work, you need to config NTLM on your server as well as LDAP. Once you've added the server as a domain member (so it can pass-through / impersonate authentication requests to you DC[s]). See: https://docs.moodle.org/24/en/NTLM_authentication
Once you get it to the point that winbind ("wbinfo -u" from bash) can successfully 'speak' to your domain ad fetch a list of users, your basically there.
This is an old question and you've surely moved on since then, but having recently gone through this and happening upon this article, thought I'd post this hint for anyone else encountering similar challenges.
So I've a VM that has SSH login. In this machine I only want one user ( lets say admin) to be able to login in via SSH.
Ive changed the sshd_config and added the AllowUsers admin directive. The problem is that I can still login to the machine with the user user, for example.
The host is a Ubuntu server and I'm accessing it via vSphere Client.
Is there anything I'm missing here?