[Tickets #14051] Re: Two Factor Authentication

noreply at bugs.horde.org noreply at bugs.horde.org
Thu Jan 24 06:50:10 UTC 2019


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: https://bugs.horde.org/ticket/14051
------------------------------------------------------------------------------
  Ticket             | 14051
  Updated By         | pla at etla.fi
  Summary            | Two Factor Authentication
  Queue              | Horde Base
  Version            | Git master
  Type               | Enhancement
  State              | Accepted
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


christoph.haas at ukbw.de (2016-04-13 08:53) wrote:

Hello,

> well, a 2-factor authentication can easily be done:
> 1. configure Horde for PAM-Authentication
> 2. use the Google authenticator PAM-module, or the pam-u2f-module  
> for e.g. Yubikey
> ... and you're done.
>
> Cheers from Stuttgart / BW / Germany
> Christoph.

I had now the time to investigate further on this topic. It isn't as  
easy as mentioned in my last comment ...
Thus the below PAM-config works, tested e.g. as PAM-config for "su",  
it doesn't do so with Horde :-((
PAM-authentication works if I remove the google_authenticator part ...
(just for the records: my system runs on a Debian Jessie amd64)

/etc/pam.d/horde
auth requisite pam_google_authenticator.so forward_pass
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000  
use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
auth    optional                        pam_cap.so


-->> the login credential with this PAM-config consists of the  
user-password and the one-time-password from the Google Authenticator.
E.g. if the user-password is: mysecretpwd
and the Google OTP: 123456
the login credential would be: mysecretpwd123456

but in /var/log/syslog
HORDE: [horde] FAILED LOGIN for haasc to horde (172.16.1.2) [pid 10073  
on line 199 of "/var/www/html/horde/login.php"]
HORDE: [gollem] PHP ERROR: Invalid argument supplied for foreach()  
[pid 10073 on line 338 of "/var/www/html/horde/gollem/lib/Auth.php"]

... and the login is denied with a error on the Horde-login-screen:
"Cannot make/remove an entry for the specified session (in pam_authenticate)"

Clueless - where is my bug?
Christoph.






More information about the bugs mailing list