Univention Bugzilla – Bug 39841
Extend the UMC login with a multi factor authentication
Last modified: 2015-11-17 12:12:22 CET
Please check, if the manual has to be adjusted. +++ This bug was initially created as a clone of Bug #39611 +++ Currently, the UMC login is possible via username / password and via SAML. It would be really nice if the login could be extended with a multi factor authentication App such as privacyIDEA. UMC uses PAM therefore the app should be able to extend the UMC PAM configuration. For example: OLD: auth sufficient pam_unix.so auth sufficient pam_krb5.so use_first_pass auth required pam_ldap.so use_first_pass NEW: auth sufficient pam_unix.so auth [success=1 new_authtok_reqd=ok user_unknown=ignore service_err=ignore authinfo_unavail=ignore auth_err=die default=ignore] pam_krb5.so use_first_pass auth [success=ok new_authtok_reqd=ok default=die] pam_ldap.so use_first_pass auth required pam_multi_facctor use_first_pass I guess we can't use pam_unix in this way because the password hashes of the LDAP users are available via 'getent shadow' at least as root and if the password hasn't been changed via Samba 4 (Kerberos). Anyway, the pam_multi_factor module should be able to check if a the user must insert a token. For example for a user without a token: Username: test1 Password: XXXXXXX → Login suceedded if the password is correct For example for a user with a token: Username: test1 Password: XXXXXXX One Time Password: XXXX → Login suceedded if the password and the one time password is correct The UMC login has to check the PAM Dialog and display a second password prompt, for example: 1. Screen <Username> <Password> → Insert: Administrator \t univention \Enter 2. Screen Administrator (grayed out) *********** (grayed out) <One Time Password> → Insert OTP \Enter I'll split the PAM configuration into a separate issue.
Added at the end of the UMC authentication chapter: r65427
Two more commits: r65428 + r65429
Looks good. I just did a small rephrasing: r65454 | Bug #39841: minor rephrasing and commata
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".