[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

A PAM OPIE configuration



Just to share with the world.

I have written some PAM OPIE modules, which I use on a Redhat system.
(source in following messages). Here is a working /etc/pam.d/login

auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_nologin.so
auth       sufficient   /lib/security/pam_opie.so debug
auth       requisite    /lib/security/pam_opietrust.so debug
auth       sufficient	/lib/security/pam_pwdb.so shadow try_first_pass
auth       required	/lib/security/pam_pwdb.so shadow
account    required	/lib/security/pam_pwdb.so
password   required	/lib/security/pam_cracklib.so
password   required	/lib/security/pam_pwdb.so shadow nullok use_authtok
session    required	/lib/security/pam_pwdb.so

What this does is do the "regular" securetty and nologin handling,
then try an OPIE challange/response. If it succeeded, the "sufficient"
flags lets them log in. If it fails, the opietrust module implements
the "/etc/opieaccess" functionality. If that works, then regular
password handling is done. The first instance of pam_pwdb tries to use
the response that the pam_opie module didn't like. If that wasn't
good, the second pam_pwdb does a regular password prompt.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []