[Tickets #14051] Re: Two Factor Authentication

noreply at bugs.horde.org noreply at bugs.horde.org
Wed Apr 13 08:53:49 UTC 2016


BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE  
E-MAIL-ADRESSE WERDEN NICHT GELESEN.

Ticket-URL: https://bugs.horde.org/ticket/14051
------------------------------------------------------------------------------
  Ticket           | 14051
  Aktualisiert Von | christoph.haas at ukbw.de
  Zusammenfassung  | Two Factor Authentication
  Warteschlange    | Horde Base
  Version          | Git master
  Typ              | Enhancement
  Status           | Accepted
  Priorität        | 1. Low
  Milestone        |
  Patch            |
  Zuständige       |
------------------------------------------------------------------------------


christoph.haas at ukbw.de (2016-04-13 08:53) hat geschrieben:

Hello,

> well, a 2-factor authentication can easily be done:
> 1. configure Horde for PAM-Authentication
> 2. use the Google authenticator PAM-module, or the pam-u2f-module  
> for e.g. Yubikey
> ... and you're done.
>
> Cheers from Stuttgart / BW / Germany
> Christoph.

I had now the time to investigate further on this topic. It isn't as  
easy as mentioned in my last comment ...
Thus the below PAM-config works, tested e.g. as PAM-config for "su",  
it doesn't do so with Horde :-((
PAM-authentication works if I remove the google_authenticator part ...
(just for the records: my system runs on a Debian Jessie amd64)

/etc/pam.d/horde
auth requisite pam_google_authenticator.so forward_pass
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000  
use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so


-->> the login credential with this PAM-config consists of the  
user-password and the one-time-password from the Google Authenticator.
E.g. if the user-password is: mysecretpwd
and the Google OTP: 123456
the login credential would be: mysecretpwd123456

but in /var/log/syslog
HORDE: [horde] FAILED LOGIN for haasc to horde (172.16.1.2) [pid 10073  
on line 199 of "/var/www/html/horde/login.php"]
HORDE: [gollem] PHP ERROR: Invalid argument supplied for foreach()  
[pid 10073 on line 338 of "/var/www/html/horde/gollem/lib/Auth.php"]

... and the login is denied with a error on the Horde-login-screen:
"Cannot make/remove an entry for the specified session (in pam_authenticate)"

Clueless - where is my bug?
Christoph.






More information about the bugs mailing list