[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Authentication based on network address ?



Hello everybody,

I've got a small configuration/understanding problem...

Since PAM is said to be flexible in the authentication method to use,
I'd like to set up the following policy for telnet access:

* local logins (on the console of the linux box) shall using standard unix password
  authentication (using pam_pwdb)
* Telnet logins from the local ethernet shall be presented a
  One-Time-Password (ie, S/Key or OPIE) but may also login using
  their normal password)
* Off-site access shall be granted via S/Key or OPIE only.

Now the question is: Given all the flexibility of PAM, how does one
configure this ?

After reading all the docs I came up with /etc/pam.d/login

 auth   required       /lib/security/pam_securetty.so
 auth   sufficient     /lib/security/pam_skey.so
 auth   required       /lib/security/pam_pwdb shadow md5
 auth   required       /lib/security/pam_nologin.so
 
Now thats not quite what I wanted to do - because local users always get the
S/Key-Prompt first, and off-site people can login using normal passwds too.

Any ideas ? Do I need other modules ?

Part of the problem is that I noticed that it seems not to be possible to have
separate configuration files for local logins and for telnet logins (because
in.telnetd calls login). Can this be changed ?

--
Mario Lorenz                        Email: <ml@vdazone.org>
Penguin on board!                   AX25: DL5MLO@OK0PKL.#BOH.CZE.EU



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []