Help using skey with ssh
pam at madsteer.com
pam at madsteer.com
Fri Aug 13 22:00:48 UTC 2004
pam at madsteer.com wrote:
>> session required pam_stack.so service=system-auth
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>Check and see which modules are getting pulled in by these calls to
>pam_stack.so. Look at /etc/pam.d/system-auth.
>
>Red Hat, RH-derived, and a number of other systems use this to allow easy
>changes to the authentication method(s) usable by ALL (or most) services.
>
>-kgd
Here's what it looks like:
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.s0
I'm assuming all the magic is happening in pam_unix. A quick look at /usr/doc/pam-0.77/modules/README.pam_unix.gz shows the possible options as:
The following options are recognized:
debug - log more debugging info
audit - a little more extreme than debug
use_first_pass - don't prompt the user for passwords
take them from PAM_ items instead
try_first_pass - don't prompt the user for the passwords
unless PAM_(OLD)AUTHTOK is unset
use_authtok - like try_first_pass, but * fail * if the new
PAM_AUTHTOK has not been previously set.
(intended for stacking password modules only)
not_set_pass - don't set the PAM_ items with the passwords
used by this module.
shadow - try to maintian a shadow based system.
md5 - when a user changes their password next,
encrypt it with the md5 algorithm.
bigcrypt - when a user changes their password next,
excrypt it with the DEC C2 - algorithm(0).
nodelay - used to prevent failed authentication
resulting in a delay of about 1 second.
nis - use NIS RPC for setting new password
remember=X - remember X old passwords, they are kept in
/etc/security/opasswd in MD5 crypted form
broken_shadow - ignore errors reading shadow information for
users in the account management module
None of these options jump out as being much help. I've seen web docs that talk about an skey pam modules but there all so old. Furthermore I don't see them in /etc/pam.d and skey works (just not without getting a passwd prompt first).
Thanks,
More information about the Pam-list
mailing list