writing custom pam!!!
Nick Owen
nowen at wikidsystems.com
Thu Jun 14 14:26:41 UTC 2007
Lisa:
I'm a bit confused by your questions too, but I think I can help as I
have documented a lot of "how to use WiKID one-time passcodes with x"
setups (http://www.wikidsystems.com/documentation/howtos/). Most should
be applicable to whatever OTP system you are using.
If you are looking to validate a user against active directory as well
as against an one-time password system, then I recommend that you use
pam_radius pointed to Microsoft's radius server ISA. ISA (2003 or
greater, IIRC) will validate that the user is in AD and then proxy the
request to a radius server and it is included in server 2003. You can
find some info here: http://tinyurl.com/2cofys
http://www.wikidsystems.com/documentation/howtos/how-to-configure-the-microsoft-isa-server-to-support-two-factor-authentication-from-wikid/
For apache, if you're sticking with radius, I suggest mod_auth_radius:
http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/
or mod_auth_xradius:
http://www.howtoforge.com/apache_radius_two_factor_authentication
Be warned that I had issues with versions of apache later than Apache
2.2.2-10 and mod radius.
If your project is to create a custom PAM module, please let me know. We
would love to have a WiKID PAM module to go with our open source server.
HTH,
Nick
lisa laam wrote:
> Hi,
>
>
> I have a trainee.
> -I have to write a module witch should be able to authenticate users
> with username and password concatenated to OTP (One Time Password)
> rather than only password.
> - this module should be able to authenticate first the user within
> Active Directory and then validate the OTP.
> -The module that validate the OTP is Servlet (JAVA module). and i should
> use it for OTP validation.
>
> -what i should implment is a proof of concept.
>
> -After studiying the different AAA (radius, kerberos, ..) severs, I
> propose to use Freeradius to integrate this module for remote access
> (for a simple prrof of concept). my choice was based on the fact that
> Radius protocol is hily supported.
> -For web access I thought writting a module (PAM module) for an Apache
> Server./ your comment?
>
> -The first probleme is that i have only two months left to implement one
> of the two solution (Apache or Radius) so i should choose rapidlly.
> Witch of the two is easiest to implement??
> - ths second probleme is that this is the first time i deal with
> Freeradius, PAM, Apache.
>
> my questions are :
>
> 2- if i used Freeradius, then what would be easy and rapide to implement
> a PAM module or using JRadius (i tried to install Jradius patch, but
> didn't succeed)? Did you advice me JRadius (I thougt about JRadius
> because the OTP validation programme is written in JAVA) ?
> 3- about PAM modules, I understand that we could use this independently
> from Freeradius Server. Is this true. would it be easier and fatser to
> implement a standalone PAM?
>
> please need your advice. help me to choose :
>
> - Freeradius+ PAM or
> - Freeradius+ JRadius or
> - Freeradius+ waht ? or
> - Apache + PAM or
> - standalone PAM ?? or
> - what
>
> thanks in advance
>
>
> Lisa
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid
More information about the Pam-list
mailing list