[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM Questions RE: S/Key



>I think you can make the S/Key module "sufficient" and make the
>UNIX module "required". If S/Key works then the UNIX module won't get
>called. If it fails, the UNIX module gets called and must succeed.

That sounds close.  However, the case I'm having problems with is
when the S/Key auth fails and the Unix password should NOT be used.
Perhaps setting the PAM_AUTHTOK to an empty string would work well
enough?

I had tried setting S/Key as sufficient:

login	auth       required	/lib/security/pam_securetty.so	
login	auth       sufficient	/lib/security/pam_skey2.so
login	auth       required	/lib/security/pam_unix_auth.so	
login	account    required	/lib/security/pam_unix_acct.so	
login	password   required	/lib/security/pam_unix_passwd.so	
login	session    required	/lib/security/pam_unix_session.so	

But it wasn't doing what I wanted.  It seemed that if the skey2 PAM
failed (like I entered my UNIX password), it would not work with the
unix_auth PAM.  However, I found that if I set both skey2 and unix_auth
to sufficient, I could use either.  Note that in skey2, I do set the
PAM_AUTHTOK so that the unix_auth could use it later.

I just checked it.  If I set it as above, I can ONLY use the skey,
entering my unix password doesn't work.  Ah, the reason that setting
them both to "sufficient" would allow both passwords to work was that
it was allowing ANY password to work...  It seems that perhaps the password
that's being entered into my skey module isn't getting propogated to the
unix_auth PAM.

Sean
-- 
 "Science exists to lend belief to sci-fi movies."
Sean Reifschneider, Inimitably Superfluous <jafo@tummy.com>
URL: <http://www.tummy.com/xvscan>  HP-UX/Linux/FreeBSD X11 scanning software.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []