<div dir="ltr">OK, so it looks like the situation has either changed, or I didn't look at it properly at the time :D<br><br>Turns out, authentication is fine using X11 with LightDM, so.... sorry to have wasted anyone's time.<br>
<br>I'll be posting an alternative question about the pam_radius configuration shortly, so that no-one gets confused by this complicated mess I've created!<br></div><div class="gmail_extra"><br clear="all"><div>--<br>
Jon "The Nice Guy" Spriggs</div>
<br><br><div class="gmail_quote">On 6 March 2014 15:03, Jon Spriggs <span dir="ltr"><<a href="mailto:jon@sprig.gs" target="_blank">jon@sprig.gs</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div><div><div><div><div>It's a fair point. I first investigated this about two years ago, and kinda parked it, so, to be fair, some of these details are a little hazy. I'm more than happy to drop back into it to check that details are the same, but it might take a couple of days to run the checks.<br>
<br></div>In essence, I'm looking to replicate a RSA SecurID GINA style environment, except not using RSA SecurID or the GINA environment under windows :)<br><br>I am using a 2FA solution (with scripts triggered by FreeRadius), that I know works with SSH and Web Pages, but at it's core, I'm just handling the RADIUS connections, and making sure the credentials aren't the same twice.<br>
<br></div>I added the following line to /etc/pam.d/common-auth:<br><pre style="padding-left:30px">auth sufficient pam_radius_auth.so</pre><br></div>I was hoping this would let me log in to the LightDM session using the pam module, but it was throwing the following message in /var/log/auth:<br>
<pre style="padding-left:30px">pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "spriggsj"</pre>The system was also submitting multiple repeat issues of the credentials to the radius server, which was triggering an authentication failure due to the 2FA requirements for no duplicate credentials submitted.<br>
</div><div><br></div>I will be trying this again on my home system either tonight or tomorrow night to see whether I'm still getting the same result, and I will report back :)<br></div></div><div class="gmail_extra">
<div class=""><br clear="all">
<div>--<br>Jon "The Nice Guy" Spriggs</div>
<br><br></div><div class="gmail_quote"><div><div class="h5">On 6 March 2014 14:03, Fajar A. Nugraha <span dir="ltr"><<a href="mailto:list@fajar.net" target="_blank">list@fajar.net</a>></span> wrote:<br></div></div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><div><div>On Thu, Mar 6, 2014 at 8:05 PM, Jon Spriggs <span dir="ltr"><<a href="mailto:jon@sprig.gs" target="_blank">jon@sprig.gs</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div dir="ltr"><div>Hi,<br><br>I've deployed FreeRadius and am using it without issue on web applications and SSH sessions, however, I'm trying to expand this usage into GUI logins on an Ubuntu Linux based system (using one of the LightDM, GDM or KDM login managers - any will suffice, but ideally LightDM for Unity).<br>
<br>I realise that this is outside the normal remit of this mailing list, and I'm happy to be told to look elsewhere, but as the project shepherds the pam_radius plugin, I was wondering whether there was just some settings I needed to tweak or configure in that plugin, or even whether I'm just looking in the wrong place to support my desired outcome.<br>
<br></div></div></blockquote><div><br></div></div></div><div>so ... what exactly have you tried? AFAIK lightdm also uses pam (e.g. /etc/pam.d/lightdm). If you've already use pam_radius with ssh, it should be easy enough to use it with lightdm.</div>
<span><font color="#888888">
<div><br></div><div>-- </div><div>Fajar</div></font></span></div></div></div>
<br></div></div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br></div>
</blockquote></div><br></div>