Univention Bugzilla – Bug 39612
Extend the UMC PAM configuration
Last modified: 2015-11-17 12:12:16 CET
The issue for the UMC PAM configuration. +++ This bug was initially created as a clone of Bug #39611 +++ Currently, the UMC login is possible via username / password and via SAML. It would be really nice if the login could be extended with a multi factor authentication App such as privacyIDEA. UMC uses PAM therefore the app should be able to extend the UMC PAM configuration. For example: OLD: auth sufficient pam_unix.so auth sufficient pam_krb5.so use_first_pass auth required pam_ldap.so use_first_pass NEW: auth sufficient pam_unix.so auth [success=1 new_authtok_reqd=ok user_unknown=ignore service_err=ignore authinfo_unavail=ignore auth_err=die default=ignore] pam_krb5.so use_first_pass auth [success=ok new_authtok_reqd=ok default=die] pam_ldap.so use_first_pass auth required pam_multi_facctor use_first_pass I guess we can't use pam_unix in this way because the password hashes of the LDAP users are available via 'getent shadow' at least as root and if the password hasn't been changed via Samba 4 (Kerberos). Anyway, the pam_multi_factor module should be able to check if a the user must insert a token. For example for a user without a token: Username: test1 Password: XXXXXXX → Login suceedded if the password is correct For example for a user with a token: Username: test1 Password: XXXXXXX One Time Password: XXXX → Login suceedded if the password and the one time password is correct The UMC login has to check the PAM Dialog and display a second password prompt, for example: 1. Screen <Username> <Password> → Insert: Administrator \t univention \Enter 2. Screen Administrator (grayed out) *********** (grayed out) <One Time Password> → Insert OTP \Enter I'll split the PAM configuration into a separate issue.
The pam-passwdcache doesn't work at the moment Bug #39696. I think we should allow only one, either multi factor or cached authentication.
The PAM configuration is now separated and it is possible to define an additional auth method which is always checked even if pam_unix, pam_kerberos or pam_ldap were successful. The addon must only set a UCR variable, for example auth/umc/addon/name=true. And the addon must define a subfile for the UMC PAM configuration which is between 51 and 58, for example: ---------------------------------------------------------------------- Type: multifile Multifile: etc/pam.d/univention-management-console Type: subfile Multifile: etc/pam.d/univention-management-console Subfile: etc/pam.d/univention-management-console.d/51_addon_name ---------------------------------------------------------------------- The PAM configuration should exit with sufficient. This issue still need some testing and a changelog entry.
My tests were successful. Changelog entry: r65070 privacyIDEA PAM 2.7 will use it: Ticket #2015102821000166
Ok, this works. * the restructuring looks good: ** "account" stack entries relocated from 50_base to 60_account ** "session" stack entries relocated from 50_base to 70_session ** "password" stack entries relocated from 50_base to 80_password * pam_passwdcache.so is now sufficient instead of required. This is important because the pam_passwdcache.so insert may have failed. * In case auth/umc/addon/foo=true but module/subfile is not installed UMC-login is denied generally. * changelog ok.
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".