[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Help! PAM & S/Key



On Mon, 1 Jun 1998, Richard Hakim wrote:

> Basically, I want to use s/key authentication for all non-local logins,
> but logins at the console should use standard unix logins. Now that I
> have RedHat 5.1, my pam is controlled through the  /etc/pam.d
> directory.  I've tried creating a telnet file in that directory with the
> line
> 
> auth    required        /lib/security/pam_skey.so
> 
> in it, but that doesn't work.  I've thought about using the login file
> (where it does work) but can't think of a way of distinguishing local vs
> remote logins.

Well, I don't know anything about s/key, but I can tell you why
/etc/pam.d/telnet doesn't do anything: in.telnetd doesn't do the
authentication.  in.telnetd invokes '/bin/login', the same as a
getty or mingetty would, and login always tells PAM that its
service name is 'login'.

That said, it should be possible to rebuild in.telnetd to exec another
version of login (say, /bin/remotelogin) which itself was built to use a
different PAM service name, and would therefore use a different
configuration file.

I don't know if this opens up any security holes, but it should get the
job done.  If I'm flat-out wrong here, I hope someone will correct me.
Anyone know of an easier way?

Nalin



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []