# /etc/pam.d/sshd# =========================================================#

1. # /etc/pam.d/sshd
2. # =========================================================
3.  
4. #%PAM-1.0
5.  
6. auth required pam_sepermit.so
7.  
8. # OTP Check
9. auth [success=1 default=ignore] pam_python.so
10. /lib/security/pam_linotp.py nosslhostnameverify nosslcertverify
11. url=https://mylinotpsrv.local/validate/simplecheck realm=MYDOMAIN debug
12. auth requisite pam_deny.so
13.  
14. auth substack password-auth
15. auth include postlogin
16.  
17. # Used with polkit to reauthorize users in remote sessions
18. -auth optional pam_reauthorize.so prepare
19. account required pam_nologin.so
20. account include password-auth
21. password include password-auth
22.  
23. # pam_selinux.so close should be the first session rule
24. session required pam_selinux.so close
25. session required pam_loginuid.so
26.  
27. # pam_selinux.so open should only be followed by sessions to be executed in the user context
28. session required pam_selinux.so open env_params
29. session required pam_namespace.so
30. session optional pam_keyinit.so force revoke
31. session include password-auth
32. session include postlogin
33.  
34. # Used with polkit to reauthorize users in remote sessions
35. -session optional pam_reauthorize.so prepare
36.  
37. /var/log/secure
38. ====================================================================================================
39.  
40. Mar 9 15:25:09 mflinux01 sshd[8215]: Set /proc/self/oom_score_adj to 0
41. Mar 9 15:25:09 mflinux01 sshd[8215]: Connection from 192.168.0.13 port 33926 on 192.168.0.12 port 22
42. Mar 9 15:25:09 mflinux01 sshd[8215]: Postponed keyboard-interactive for vdn@MYDOMAIN.LOC from 192.168.0.13 port 33926 ssh2 [preauth]
43. Mar 9 15:25:17 mflinux01 sshd[8215]: Postponed keyboard-interactive/pam for vdn@MYDOMAIN.LOC from 192.168.0.13 port 33926 ssh2 [preauth]
44. Mar 9 15:25:20 mflinux01 sshd[8217]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.13 user=vdn@MYDOMAIN.LOC
45. Mar 9 15:25:20 mflinux01 sshd[8220]: pam_krb5[8220]: got error -1 (Unknown code ____ 255) while obtaining tokens for cern.ch
46. Mar 9 15:25:20 mflinux01 sshd[8215]: Postponed keyboard-interactive/pam for vdn@MYDOMAIN.LOC from 192.168.0.13 port 33926 ssh2 [preauth]
47. Mar 9 15:25:20 mflinux01 sshd[8215]: Accepted keyboard-interactive/pam for vdn@MYDOMAIN.LOC from 192.168.0.13 port 33926 ssh2
48. Mar 9 15:25:20 mflinux01 sshd[8215]: fatal: PAM: pam_setcred(): Failure setting user credentials
49.  
50. /var/log/message
51. ====================================================================================================
52. Mar 9 15:25:01 mflinux01 systemd: Created slice user-988.slice.
53. Mar 9 15:25:01 mflinux01 systemd: Starting user-988.slice.
54. Mar 9 15:25:01 mflinux01 systemd: Started Session 12 of user pcp.
55. Mar 9 15:25:01 mflinux01 systemd: Starting Session 12 of user pcp.
56. Mar 9 15:25:03 mflinux01 systemd: Removed slice user-988.slice.
57. Mar 9 15:25:03 mflinux01 systemd: Stopping user-988.slice.
58. Mar 9 15:25:09 mflinux01 pam_linotp[8217]: start pam_linotp.py authentication: 1, ['/lib/security/pam_linotp.py', 'nosslhostnameverify', 'nosslcertverify', 'url=https://192.168.0.14/validate/simplecheck', 'realm=MYDOMAIN', 'debug']
59. Mar 9 15:25:09 mflinux01 pam_linotp[8217]: got no password in authtok - trying through conversation
60. Mar 9 15:25:16 mflinux01 pam_linotp[8217]: got password: 932410
61. Mar 9 15:25:16 mflinux01 pam_linotp[8217]: calling url https://192.168.0.14/validate/simplecheck {'realm': 'MYDOMAIN', 'user': 'vdn@MYDOMAIN.LOC', 'pass': '932410'}
62. Mar 9 15:25:17 mflinux01 pam_linotp[8217]: :-)
63. Mar 9 15:25:17 mflinux01 pam_linotp[8217]: user successfully authenticated
64. Mar 9 15:25:20 mflinux01 sshd: Please note: pam_linotp does not support setcred