[Tickets #14051] Re: Two Factor Authentication
noreply at bugs.horde.org
noreply at bugs.horde.org
Wed Apr 13 08:53:49 UTC 2016
BITTE NICHT AUF DIESE NACHRICHT ANTWORTEN. NACHRICHTEN AN DIESE
E-MAIL-ADRESSE WERDEN NICHT GELESEN.
Ticket-URL: https://bugs.horde.org/ticket/14051
------------------------------------------------------------------------------
Ticket | 14051
Aktualisiert Von | christoph.haas at ukbw.de
Zusammenfassung | Two Factor Authentication
Warteschlange | Horde Base
Version | Git master
Typ | Enhancement
Status | Accepted
Priorität | 1. Low
Milestone |
Patch |
Zuständige |
------------------------------------------------------------------------------
christoph.haas at ukbw.de (2016-04-13 08:53) hat geschrieben:
Hello,
> well, a 2-factor authentication can easily be done:
> 1. configure Horde for PAM-Authentication
> 2. use the Google authenticator PAM-module, or the pam-u2f-module
> for e.g. Yubikey
> ... and you're done.
>
> Cheers from Stuttgart / BW / Germany
> Christoph.
I had now the time to investigate further on this topic. It isn't as
easy as mentioned in my last comment ...
Thus the below PAM-config works, tested e.g. as PAM-config for "su",
it doesn't do so with Horde :-((
PAM-authentication works if I remove the google_authenticator part ...
(just for the records: my system runs on a Debian Jessie amd64)
/etc/pam.d/horde
auth requisite pam_google_authenticator.so forward_pass
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000
use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
-->> the login credential with this PAM-config consists of the
user-password and the one-time-password from the Google Authenticator.
E.g. if the user-password is: mysecretpwd
and the Google OTP: 123456
the login credential would be: mysecretpwd123456
but in /var/log/syslog
HORDE: [horde] FAILED LOGIN for haasc to horde (172.16.1.2) [pid 10073
on line 199 of "/var/www/html/horde/login.php"]
HORDE: [gollem] PHP ERROR: Invalid argument supplied for foreach()
[pid 10073 on line 338 of "/var/www/html/horde/gollem/lib/Auth.php"]
... and the login is denied with a error on the Horde-login-screen:
"Cannot make/remove an entry for the specified session (in pam_authenticate)"
Clueless - where is my bug?
Christoph.
More information about the bugs
mailing list