pam_weblogin with SSH users fails with local password

Question

pam_weblogin with SSH users fails with local password

Closed this issue 2 years ago · 1 comments

I'v confured pam_weblogin and the ssh pam module aas defualt (auth sufficient).
This fails when I try to login with a user who tries to login with a local password rather than an ssh key:

bas@audit:~/pam-weblogin/docker$ ssh -p 1022 -l admin@scz-vm.net audit
The authenticity of host '[audit]:1022 ([145.0.6.123]:1022)' can't be established.
ECDSA key fingerprint is SHA256:YdTZAikX56hrWBZlEIBdtjSXzz02lpVB+EZgEXqZXWE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[audit]:1022,[145.0.6.123]:1022' (ECDSA) to the list of known hosts.
admin@scz-vm.net@audit's password:
Please sign in to: https://sbs.audit.lab.surf.nl/weblogin/1bcaaa64-293d-4f4e-992e-920fdf224480
Incorrect pin
Incorrect pin
Incorrect pin
Please sign in to: https://sbs.audit.lab.surf.nl/weblogin/1bcaaa64-293d-4f4e-992e-920fdf224480
Incorrect pin
Incorrect pin
Incorrect pin

Changing the pam config to auth required results in:

bas@audit:~/pam-weblogin/docker$ ssh -p 1022 -l admin@scz-vm.net audit
admin@scz-vm.net@audit's password:
Permission denied, please try again.
admin@scz-vm.net@audit's password:
Permission denied, please try again.
admin@scz-vm.net@audit's password:

The auth log then has:

Aug  5 07:47:19 sandbox web-login[118]: Start of pam_weblogin
Aug  5 07:47:19 sandbox web-login[118]: url: https://sbs.audit.lab.surf.nl/pam-weblogin
Aug  5 07:47:19 sandbox web-login[118]: token: Bearer ASU3hwZGsKYEf_qMDXO6Y6VwEotUV4qnTcwZP8s-M1wk
Aug  5 07:47:19 sandbox web-login[118]: retries: 3
Aug  5 07:47:19 sandbox web-login[118]: attribute: email
Aug  5 07:47:19 sandbox web-login[118]: cache_duration: 30
Aug  5 07:47:19 sandbox web-login[118]: No more lines in: /etc/pam-weblogin.conf
Aug  5 07:47:19 sandbox web-login[118]: Request to https://sbs.audit.lab.surf.nl/pam-weblogin/start, 201, {"cached":false,"challenge":"Please sign in to: https://sbs.audit.lab.surf.nl/weblogin/b17504de-3e34-4caf-86b7-244141c080dc","result":"OK","session_id":"b17504de-3e34-4caf-86b7-244141c080dc"}
Aug  5 07:47:19 sandbox web-login[118]: Request to https://sbs.audit.lab.surf.nl/pam-weblogin/check-pin, 201, {"info":"Incorrect pin","result":"FAIL"}
Aug  5 07:47:19 sandbox web-login[118]: info: Incorrect pin
Aug  5 07:47:19 sandbox web-login[118]: result: FAIL
Aug  5 07:47:19 sandbox web-login[118]: Request to https://sbs.audit.lab.surf.nl/pam-weblogin/check-pin, 201, {"info":"Incorrect pin","result":"FAIL"}
Aug  5 07:47:19 sandbox web-login[118]: info: Incorrect pin
Aug  5 07:47:19 sandbox web-login[118]: result: FAIL
Aug  5 07:47:19 sandbox web-login[118]: Request to https://sbs.audit.lab.surf.nl/pam-weblogin/check-pin, 201, {"info":"Incorrect pin","result":"FAIL"}
Aug  5 07:47:19 sandbox web-login[118]: info: Incorrect pin
Aug  5 07:47:19 sandbox web-login[118]: result: FAIL
Aug  5 07:47:21 sandbox sshd[118]: Failed password for admin@scz-vm.net from 145.0.6.123 port 57436 ssh2
Aug  5 07:47:44 sandbox sshd[118]: Connection closed by authenticating user admin@scz-vm.net 145.0.6.123 port 57436 [preauth]

Answer 1 · 2022-08-08T06:51:32.000Z

Related to #22. Applying that solution will als close this one, user will then see :

$ ssh jdoe@server
jdoe@server: Permission denied (publickey).