Google two factor authentication not work on 'su' command - authentication

I installed google two factor authentication on my linux server.
(thanks to: https://github.com/google/google-authenticator-libpam)
When I try to access root account via ssh, authenticator works fine.
Verification code: .....
Password: ....
[root#hostname] works fine :)
But!! access other user account and try to access root account using su,
authenticator only require password.
[user#hostname] whoami
user
[user#hostname] su
password: .....
[root#hostname] What?!!!
I set all config to default value.
How can I fix it??

This is the default way this works. Since you are using the google-authenticator-libpam module you are only adding two factor authentication to the actual external interface login via the addition of auth required pam_google_authenticator.so to the sshd config file.
The proper security implementation (or at least one of the proper ways) is to not allow external login for the root user, going one step further and locking down ssh to only allow login from users who have two factor authentication enabled is even better.
To do that you would add the following in your sshd config :
AllowUsers admin bob

To enable Google two factor authentication for su - you have to add following parameter at the end of file /etc/pam.d/su :
auth required pam_google_authenticator.so
Save it and try login using the normal user and then su -, it will prompt for verification code.
i.e. no need to restart sshd service.

Related

CloudFoundry CLI login not working (Credentials were rejected, please try again)

So far I have always been able to log in successfully via sso.
cf login -a url --sso
I need another way to log in for my pipeline script and tried the following command.
cf login [-a API_URL] [-u USERNAME] [-p PASSWORD] [-o ORG] [-s SPACE]
This command does not work with my user, nor with a technical user to whom all necessary roles have been assigned (M D A). I get the following message.
API endpoint: url
Password>
Authenticating...
Credentials were rejected, please try again.
Does anyone know how to solve this problem?
Or maybe an alternative to create a gradle task, for example, that can be executed in a jenkins pipeline.
At the end, I want to automate a deploy (to cloud) of an artifact with my Jenkins pipeline.
You provided —sso flag, so you shouldn’t see a password prompt. Instead you should be given the url to get a token.
Maybe your CF has been misconfigured and does not support SSO yet. I tried to fix the CF CLI to avoid this but it was oddly rejected https://github.com/cloudfoundry/cli/pull/1624
Try fixing your CF installation (it needs to provide some prompts), or skip the —sso flag usage.
Using --sso and -u/-p are not doing the same thing on the backend, and there's no guarantee that a user which can login through SSO is also set up to login as a user stored directly in UAA. UAA has multiple origin's from which users can be loaded, like SAML, LDAP and internal to UAA. When you use the --sso flag, you are typically logging in via a user from your company's SAML provider. When you use the -u/-p flags, it's typically LDAP or UAA, something UAA validates directly.
In order for what you are trying to do to work, you would need to have a user available with an origin in SAML (for --sso) and a user in origin LDAP or UAA (internal), and technically those would be two separate users (despite the fact that they may have the same credentials).
At any rate, if you normally login with the --sso flag and you want to automate work, what you really want is to get a UAA client that is set with the grant type of client credentials. You can then use cf auth CLIENT_ID CLIENT_SECRET --client-credentials to automate logging in.
Typically you don't want your user account to be tied to pipelines and automated scripts anyway. If you leave the company and your user get deactivated then everything breaks :) You want a service account, and that is basically a client enabled with the client credentials grant type in UAA.

keycloak initial login does not work with admin username and password

I cannot login to keycloak in the initial setup. I managed to run the server via /standalone.sh -b=0.0.0.0 command and when accessing it via http://x.x.x.x:8080 the login page doesn't allow me to login with admin/admin username and password. any hint is highly apreciated.
In order to create the initial administrator user you need to use add-user-keycloak.sh (.bat) script located in keycloak/bin with all other scripts. Run it before starting/restarting the server, so Keycloak could pick up the user:
$ ./add-user-keycloak.sh -u admin -p password.
$ ./add-user-keycloak.sh --help will show you all the available options.
According to the latest keycloak documentation (today) there are two procedures for creating the first administrator credentials:
Creating the account on the local host
If your server is accessible from localhost, perform these steps.
Procedure:
In a web browser, go to the http://localhost:8080 URL.
Supply a username and password that you can recall in the Welcome page
Creating the account remotely
If you cannot access the server from a localhost address, or just want to start Keycloak from the command line, use the KEYCLOAK_ADMIN and KEYCLOAK_ADMIN_PASSWORD environment variables to create an initial admin account.
For example:
export KEYCLOAK_ADMIN=<username>
export KEYCLOAK_ADMIN_PASSWORD=<password>
bin/kc.[sh|bat] start
If you are someone who have setup KeyCloak in Kubernetes then we can port-forward and access the localhost:8080/auth that is how I did the initial admin user setup.
kubectl port-forward svc/keycloak-http -n <namespace> 8080:80

Saving docker credentials in docker config

I have a private hosted registry at www.myDockerRepo.company.com:2222. To login to this repository I follow these steps
docker login www.myDockerRepo.company.com:2222
username : xxx
password : ***
email : xyz#company.com
WARNING: login credentials saved in /home/vagrant/.docker/config.json
Login Succeeded
Can these credentials be saved before hand in the config.json so that clients dont need to manually enter these credentials n every login? What is the best practice to login to private registries?
Yes, you can manually add the creds to the config. Just copy the file over from a host that you already logged in with.
As far as best practices, they depend on the setup, but most common is to use a generic system account for your registry that is only used by the hosts, and then when setting up the hosts and installing docker, drop in the config file for that system user. Then all pushes and pulls from those servers will be with that account.
If you try and reuse a user account, things will break if that user changes their password. It also allows you to have different permissions for hosts, maybe pull only access vs push, etc.

Authenticate Radius user using pam and ssh

I am able to authenticate radius users using radius server+pam+ssh with creating local user with blank password in linux.
Is it possible to authenticate radius users without creating users in local machine with blank password?
/etc/pam.d/ssh file as below
#%PAM-1.0
auth sufficient pam_radius_auth.so debug
auth sufficient pam_unix.so use_first_pass
auth required pam_auth_status.so
account sufficient pam_unix.so
account required pam_auth_status.so
session required pam_unix.so
You can authenticate the user without creating an entry for him in /etc/passwd and /etc/shadow files. But now , the user is not associated with any shell in '/etc/passwd' , so it can be of no use.
Do you want to launch a shell after authentication or you want the user just to be authenticated?
I found two nss libraries that could help in this case:
libnss-mapuser from Cumulus Linux.
libnss-ato
The general process is that these will map unknown (but authenticated) user to a single user template. Each user will get his/her own /home folder though but both libs have in common that the user id will be the same.
These packages are mainly targeted at network devices where there is no ldap setup done. Cumulus describes the setup nicely.
I recommend reading https://serverfault.com/questions/538383/understand-pam-and-nss to understand what is happening there.

Command Line Authentication in Web2py

I have made a web interface for my project using web2py and configured login with pam. Now i have to make a CLI for the same. I could not find any way i can authenticate the user (we can assume that the user i want to authenticate is already logged in on the linux machine configured with pam and running web2py).
First you need to find out the name of the logged in user:
username = os.getlogin()
Then you force a login:
from gluon.storage import Storage
from uuid import uuid4
session.auth = Storage(user=user, last_visit=request.now,
expiration=auth.settings.expiration,
hmac_key = str(uuid4())
we are about to add a auth method to do this in one line.
To add to what Massimo said, this one-line login has been implemented now. You can do so using the following code:
#User_id is whatever the id is for the user you are forcing them to log in to
auth.login_user(user_id)
I couldn't find any documentation on this in the book but you can take a look at the method yourself in the gluon.tools module in the source.