Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support External PAM Auth Modules #3929

Closed
benarent opened this issue Jun 27, 2020 · 0 comments · Fixed by #3966
Closed

Support External PAM Auth Modules #3929

benarent opened this issue Jun 27, 2020 · 0 comments · Fixed by #3966
Assignees
@awly
Labels
c-q7j Internal Customer Reference
Milestone
4.4 "Rome"

Comments

@benarent
Copy link
Contributor

Feature Request

We've a customer who would like to enable a 3rd party Auth PAM module, specifically https://duo.com/docs/duounix#overview

Motivation

By adding another check prior to a session starts, Teleport users are able to have another 2nd factor check. We can start by integrating with another provider, and should consider brining it in-house as part of #3878

Who's it for?

OSS User, Pro, Enterprise
@benarent benarent added the c-q7j Internal Customer Reference label Jun 27, 2020
@benarent benarent added this to the 4.4 "Rome" milestone Jun 27, 2020
awly pushed a commit that referenced this issue Jul 2, 2020
pam: trigger pam_authenticate on login
5c318d3 
This will trigger any "auth" PAM modules configured on the system for
teleport. For example, Duo 2FA prompt on each connection.
The module will be able to interact with the user (e.g. print prompts).

Also, make PAM env var propagation consistent for port forwarding
sessions.

Fixes #3929
@awly awly mentioned this issue Jul 2, 2020
Merged
awly pushed a commit that referenced this issue Jul 8, 2020
pam: trigger pam_authenticate on login
ce5088f 
This will trigger any "auth" PAM modules configured on the system for
teleport. For example, Duo 2FA prompt on each connection.
The module will be able to interact with the user (e.g. print prompts).

Also, make PAM env var propagation consistent for port forwarding
sessions.

Fixes #3929
awly pushed a commit that referenced this issue Jul 9, 2020
pam: trigger pam_authenticate on login
e077d8c 
This will trigger any "auth" PAM modules configured on the system for
teleport. For example, Duo 2FA prompt on each connection.
The module will be able to interact with the user (e.g. print prompts).

Also, make PAM env var propagation consistent for port forwarding
sessions.

Fixes #3929
awly pushed a commit that referenced this issue Jul 10, 2020
pam: trigger pam_authenticate on login (#3966)
78c2a31 
* pam: trigger pam_authenticate on login

This will trigger any "auth" PAM modules configured on the system for
teleport. For example, Duo 2FA prompt on each connection.
The module will be able to interact with the user (e.g. print prompts).

Also, make PAM env var propagation consistent for port forwarding
sessions.

Fixes #3929

* Revamp PAM testing stack

- update PAM policies and module for "auth" step
- use pam_teleport.so from the repo directory instead of guessing
  OS-specific global path
- add tests covering all failure scenarios and generally refactor PAM
  tests

* Build pam_teleport.so during buildbox build inside docker

This removes the need for libpam-devel on the host and reliably compiles
pam_teleport.so in our CI pipeline.
As part of this, combine build.assets/pam/ and modules/pam_teleport to
avoid the need to sync them.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@awly awly

Labels
c-q7j Internal Customer Reference
Projects
None yet
Milestone
4.4 "Rome"
Development

Successfully merging a pull request may close this issue.

pam: trigger pam_authenticate on login gravitational/teleport
2 participants
@benarent @awly