X11 Authentication

Jon Spriggs jon at sprig.gs
Thu Mar 6 23:38:19 CET 2014


OK, so it looks like the situation has either changed, or I didn't look at
it properly at the time :D

Turns out, authentication is fine using X11 with LightDM, so.... sorry to
have wasted anyone's time.

I'll be posting an alternative question about the pam_radius configuration
shortly, so that no-one gets confused by this complicated mess I've created!

--
Jon "The Nice Guy" Spriggs


On 6 March 2014 15:03, Jon Spriggs <jon at sprig.gs> wrote:

> It's a fair point. I first investigated this about two years ago, and
> kinda parked it, so, to be fair, some of these details are a little hazy.
> I'm more than happy to drop back into it to check that details are the
> same, but it might take a couple of days to run the checks.
>
> In essence, I'm looking to replicate a RSA SecurID GINA style environment,
> except not using RSA SecurID or the GINA environment under windows :)
>
> I am using a 2FA solution (with scripts triggered by FreeRadius), that I
> know works with SSH and Web Pages, but at it's core, I'm just handling the
> RADIUS connections, and making sure the credentials aren't the same twice.
>
> I added the following line to /etc/pam.d/common-auth:
>
> auth sufficient pam_radius_auth.so
>
>
> I was hoping this would let me log in to the LightDM session using the pam
> module, but it was throwing the following message in /var/log/auth:
>
> pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "spriggsj"
>
> The system was also submitting multiple repeat issues of the credentials
> to the radius server, which was triggering an authentication failure due to
> the 2FA requirements for no duplicate credentials submitted.
>
> I will be trying this again on my home system either tonight or tomorrow
> night to see whether I'm still getting the same result, and I will report
> back :)
>
> --
> Jon "The Nice Guy" Spriggs
>
>
> On 6 March 2014 14:03, Fajar A. Nugraha <list at fajar.net> wrote:
>
>> On Thu, Mar 6, 2014 at 8:05 PM, Jon Spriggs <jon at sprig.gs> wrote:
>>
>>> Hi,
>>>
>>> I've deployed FreeRadius and am using it without issue on web
>>> applications and SSH sessions, however, I'm trying to expand this usage
>>> into GUI logins on an Ubuntu Linux based system (using one of the LightDM,
>>> GDM or KDM login managers - any will suffice, but ideally LightDM for
>>> Unity).
>>>
>>> I realise that this is outside the normal remit of this mailing list,
>>> and I'm happy to be told to look elsewhere, but as the project shepherds
>>> the pam_radius plugin, I was wondering whether there was just some settings
>>> I needed to tweak or configure in that plugin, or even whether I'm just
>>> looking in the wrong place to support my desired outcome.
>>>
>>>
>> so ... what exactly have you tried? AFAIK lightdm also uses pam (e.g.
>> /etc/pam.d/lightdm). If you've already use pam_radius with ssh, it should
>> be easy enough to use it with lightdm.
>>
>> --
>> Fajar
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140306/2fa14c23/attachment-0001.html>


More information about the Freeradius-Users mailing list