Description Stefan Gohmann 2015-11-10 10:17:40 CET

Please check, if the manual has to be adjusted.

+++ This bug was initially created as a clone of Bug #39611 +++

Currently, the UMC login is possible via username / password and via SAML.

It would be really nice if the login could be extended with a multi factor authentication App such as privacyIDEA. UMC uses PAM therefore the app should be able to extend the UMC PAM configuration. For example:

OLD:
auth     sufficient                         pam_unix.so
auth     sufficient                         pam_krb5.so use_first_pass
auth     required                           pam_ldap.so use_first_pass

NEW:
auth     sufficient                         pam_unix.so
auth [success=1 new_authtok_reqd=ok user_unknown=ignore service_err=ignore authinfo_unavail=ignore auth_err=die default=ignore]  pam_krb5.so use_first_pass
auth     [success=ok new_authtok_reqd=ok default=die] pam_ldap.so use_first_pass
auth     required          pam_multi_facctor use_first_pass

I guess we can't use pam_unix in this way because the password hashes of the LDAP users are available via 'getent shadow' at least as root and if the password hasn't been changed via Samba 4 (Kerberos).
Anyway, the pam_multi_factor module should be able to check if a the user must insert a token.

For example for a user without a token:
Username: test1
Password: XXXXXXX
→ Login suceedded if the password is correct

For example for a user with a token:
Username: test1
Password: XXXXXXX
One Time Password: XXXX
→ Login suceedded if the password and the one time password is correct

The UMC login has to check the PAM Dialog and display a second password prompt, for example:

1. Screen
<Username>
<Password>
→ Insert: Administrator \t univention \Enter
2. Screen
Administrator (grayed out)
*********** (grayed out)
<One Time Password>
→ Insert OTP \Enter

I'll split the PAM configuration into a separate issue.