[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM Questions RE: S/Key



jafo@tummy.com writes:
> First, a quick overview.  S/Key has an skey.access file that allows you to
> allow or deny users from using their UNIX password based on certain criteria
> (uid, port name, remote system name, etc).  If you fail this test, you are
> REQUIRED to use an S/Key, otherwise you can use an S/Key *OR* your UNIX
> password.
> 
> So far, so good.  The skey.access stuff is all working, and in fact the S/Key
> password works fine.  However, I'm having problems with the interaction with
> the rest of the system.  It doesn't look like there's a return code for
> "AUTH_FAILED_CONTINUE_ANYWAY".
>
> It seems like the closest thing I can get to correct is setting up both
> pam_skey2 and pam_unix_auth as required.  However, that doesn't give me
> the ability for S/Key to fail, but still reject the UNIX password.  It
> seems like the best I can do is mark pam_skey2 as required, and have it
> return PAM_SUCCESS in the event that the authentication failed, but a
> UNIX password is permitted, and only return PAM_AUTH_ERR when the UNIX
> password is not allowed and the skey fails.  Otherwise it would return
> PAM_SUCCESS.


I think you can make the S/Key module "sufficient" and make the
UNIX module "required". If S/Key works then the UNIX module won't get
called. If it fails, the UNIX module gets called and must succeed.

Does that make sense?

> 
> I'm suspecting this is a problem with the FTP daemon's implementation of
> PAM.  It looks like the message that's getting sent is getting terminated
> prematurely (the 530 line without a '-').  A normal login looks like this:

Could be, I'm not familiar with the way Linux ftpd handles PAM. I seem
to recall the Solaris ftpd had some problems with certain PAM modules.
I seem to recall the problem was related to the design of ftpd and PAM's
use of conversation functions (i.e., in ftpd, you can't really do the
pam_auth call until you have the username and password). I hacked up a
version of ftpd that worked, but it wasn't a pretty sight. Someone
working on the Linux PAMified version of ftpd can probably comment
on how it should behave with S/Key.

roland



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []