X11 Authentication

Jon Spriggs jon at sprig.gs
Thu Mar 6 16:03:47 CET 2014 

It's a fair point. I first investigated this about two years ago, and kinda
parked it, so, to be fair, some of these details are a little hazy. I'm
more than happy to drop back into it to check that details are the same,
but it might take a couple of days to run the checks.

In essence, I'm looking to replicate a RSA SecurID GINA style environment,
except not using RSA SecurID or the GINA environment under windows :)

I am using a 2FA solution (with scripts triggered by FreeRadius), that I
know works with SSH and Web Pages, but at it's core, I'm just handling the
RADIUS connections, and making sure the credentials aren't the same twice.

I added the following line to /etc/pam.d/common-auth:

auth sufficient pam_radius_auth.so


I was hoping this would let me log in to the LightDM session using the pam
module, but it was throwing the following message in /var/log/auth:

pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin"
not met by user "spriggsj"

The system was also submitting multiple repeat issues of the credentials to
the radius server, which was triggering an authentication failure due to
the 2FA requirements for no duplicate credentials submitted.

I will be trying this again on my home system either tonight or tomorrow
night to see whether I'm still getting the same result, and I will report
back :)

--
Jon "The Nice Guy" Spriggs


On 6 March 2014 14:03, Fajar A. Nugraha <list at fajar.net> wrote:

> On Thu, Mar 6, 2014 at 8:05 PM, Jon Spriggs <jon at sprig.gs> wrote:
>
>> Hi,
>>
>> I've deployed FreeRadius and am using it without issue on web
>> applications and SSH sessions, however, I'm trying to expand this usage
>> into GUI logins on an Ubuntu Linux based system (using one of the LightDM,
>> GDM or KDM login managers - any will suffice, but ideally LightDM for
>> Unity).
>>
>> I realise that this is outside the normal remit of this mailing list, and
>> I'm happy to be told to look elsewhere, but as the project shepherds the
>> pam_radius plugin, I was wondering whether there was just some settings I
>> needed to tweak or configure in that plugin, or even whether I'm just
>> looking in the wrong place to support my desired outcome.
>>
>>
> so ... what exactly have you tried? AFAIK lightdm also uses pam (e.g.
> /etc/pam.d/lightdm). If you've already use pam_radius with ssh, it should
> be easy enough to use it with lightdm.
>
> --
> Fajar
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140306/71c17ed3/attachment.html>

More information about the Freeradius-Users mailing list