[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PAM Questions RE: S/Key



jafo@tummy.com wrote:
> That sounds close.  However, the case I'm having problems with is
> when the S/Key auth fails and the Unix password should NOT be used.
> Perhaps setting the PAM_AUTHTOK to an empty string would work well
> enough?

A long while back we looked at this sort of thing. There really is no clean
solution. One proposal was to have PAM_FAIL_NOW added to the module return
codes (this would instruct the pam_authenticate() function to fail
immediately without passing control to the remaining stacked modules). This
suggestion did not find favor with Sun.

The second solution (and the only one suggested that didn't clash with the
existing specs, and didn't require the user entering a password that was
basically ignored) was to add the argument "use_first_pass" to the unix
module entry in pam.conf (but making sure that the skey module does NOT set
PAM_AUTHTOK). The correct behavior for the unix module in this situation is
to fail without prompting for a password since PAM_AUTHTOK is not set.
Unfortunately, I cannot say if this flag was implemented in Red Hat's
unix_module.

[ It is implemented in the unix module of .52, but if you are likely to need
NIS support, you should be aware that the module in this release is silently
incompatible with NIS :( ]

Best wishes

Andrew

PS. pam_skey2 will be listed in the module makefile of .53 [weeks away
still...] Thanks for the info and your contribution...



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []