Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam-oauth2 with keycloak server #3

Open
adisheshsm opened this issue Jan 31, 2019 · 5 comments
Open

pam-oauth2 with keycloak server #3

adisheshsm opened this issue Jan 31, 2019 · 5 comments

Comments

@adisheshsm
Copy link

Hi,

I am trying SSH to a server using this PAM module.
keycloak server Token end point is http://localhost:8080/auth/realms/demo/protocol/openid-connect/token

do you have any example PAM configuration for using keycloak for authentication.

Thanks and regards,
Adishesh
@CyberDem0n
Copy link
Owner

Hi,

I think you should read #2, it has a lot of useful information.

@einar-lanfranco
Copy link

Hi @adisheshsm did you solve this? Could you share the solution?

Thanks in advance

@einar-lanfranco
Copy link

Just for people in the same situation, i follow https://blog.please-open.it/openvpn-keycloak/ and it is working!

@alerque alerque mentioned this issue Apr 30, 2021
Open
@thiagorossi
Copy link

Hi!

I know this an old post but I am struggling to set up Keycloak with OpenVPN. I followed the tutorial listed here. The only thing I did different from the tutorial was to run export GO111MODULE=on before go get github.com/shimt/pam-exec-oauth2 because of Go changed the behave in latest versions. And instead of cp go/bin/pam-exec-oauth2 $PREFIX/pam-exec-oauth2 I ran cp /root/bin/pam-exec-oauth2 $PREFIX/pam-exec-oauth2.

If I run

curl --location --request POST 'https://*****/auth/realms/*****/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=*****' \
--data-urlencode 'client_secret=*****' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=*****' \
--data-urlencode 'password=*****'

I get

{"access_token":"*****","expires_in":300,"refresh_expires_in":1800,"refresh_token":"*****",
"token_type":"Bearer","not-before-policy":0,"session_state":"*****","scope":"profile email"}

I noted that I can't run it if OTP is enabled. (If you could help with that I would be imensilly grateful too.) For the sake of simplicity, I disabled 2FA to make it work with curl and I think the authentication is working because the response gives me a token.

I have:

cat /usr/share/libpam-script/pam_script_auth
#!/bin/bash
adduser $PAM_USER --disabled-password --quiet --gecos ""

like the tutorial suggests, but I am not sure how correct this would be if usernames are e-mail addresses as in the example there are no special characters in the username. I added a user manually via OpenVPN UI as well.

cat $PREFIX/pam-exec-oauth2.yaml
{
    client-id: "*****",
    client-secret: "*****",
    scopes: ["profile"],
    endpoint-token-url: "https://*****/auth/realms/*****/protocol/openid-connect/token",
    extra-parameters: {
    },
}

Yet, using the same credentials of the curl above I can't log in:

… [stdout#info] Web login authentication failed: {\'status\': 1, \'user\': \'*****\', \'reason\': "PAM auth failed: b\'Authentication failure\'"}'
… [stdout#info] Web login failed (twisted.cred.error.UnauthorizedLogin)'
… [stdout#info] CPage WebException in CLogin/auth: 'Login failed' (None)"

Can someone please tell me what am I missing? I am stuck on this for a few days.

This might also be helpful. The tutorial wasn't very clear where I should add those lines, so I added them to the very end of the file (the last 2 lines):

cat /etc/pam.d/common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth	sufficient                      pam_script.so
auth	[success=1 default=ignore]	pam_unix.so nullok try_first_pass
# here's the fallback if no module succeeds
auth	requisite			pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth	required			pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth	optional			pam_cap.so
# end of pam-auth-update config

auth sufficient pam_exec.so expose_authtok /opt/pam-exec-oauth2/pam-exec-oauth2
auth optional pam_script.so

Should I remove the other lines starting with auth?!
/opt/pam-exec-oauth2/pam-exec-oauth2 exists.

find / -name pam_script.so
/usr/lib/security/pam_script.so

Thanks a lot!

@sreeragpb0
Copy link

Hi @thiagorossi did you solve the problem. I was encountered the same problem and
When i change the position of the scripts w.r.t. already existing scripts the problem is solved. But for now i was able to authenticate the keycloak server with the password, and when i try to give the access token instead it gives me an authentication error...
Any solution or suggestions must be valuable.
Thanks..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@thiagorossi @CyberDem0n @einar-lanfranco @adisheshsm @sreeragpb0