writing custom pam!!!

Nick Owen nowen at wikidsystems.com
Thu Jun 14 14:26:41 UTC 2007 

Lisa:

I'm a bit confused by your questions too, but I think I can help as I
have documented a lot of "how to use WiKID one-time passcodes with x"
setups (http://www.wikidsystems.com/documentation/howtos/).  Most should
be applicable to whatever OTP system you are using.

If you are looking to validate a user against active directory as well
as against an one-time password system, then I recommend that you use
pam_radius pointed to Microsoft's radius server ISA.  ISA (2003 or
greater, IIRC) will validate that the user is in AD and then proxy the
request to a radius server and it is included in server 2003.   You can
find some info here: http://tinyurl.com/2cofys
http://www.wikidsystems.com/documentation/howtos/how-to-configure-the-microsoft-isa-server-to-support-two-factor-authentication-from-wikid/

For apache, if you're sticking with radius, I suggest mod_auth_radius:
http://www.wikidsystems.com/documentation/howtos/how-to-add-two-factor-authentication-to-apache/
or mod_auth_xradius:
http://www.howtoforge.com/apache_radius_two_factor_authentication
Be warned that I had issues with versions of apache later than Apache
2.2.2-10 and mod radius.

If your project is to create a custom PAM module, please let me know. We
would love to have a WiKID PAM module to go with our open source server.

HTH,

Nick

lisa laam wrote:
> Hi,
> 
> 
> I have a trainee.
> -I have to write a module witch should be able to authenticate users
> with username and password concatenated to OTP (One Time Password)
> rather than only password.
> - this module should be able to authenticate first the user within
> Active Directory and then validate the OTP.
> -The module that validate the OTP is Servlet (JAVA module). and i should
> use it for OTP validation.
> 
> -what i should implment is a proof of concept.
> 
> -After studiying the different AAA (radius, kerberos, ..) severs, I
> propose to use Freeradius to integrate this module for remote  access
> (for a simple prrof of concept). my choice was based on the fact that
> Radius protocol is hily supported.
> -For web access I thought writting a module (PAM module) for an Apache
> Server./ your comment?
> 
> -The first probleme is that i have only two months left to implement one
> of the two solution (Apache or Radius) so i should choose rapidlly.
> Witch of the two is easiest to implement??
> - ths second probleme is that this is the first time i deal with
> Freeradius, PAM, Apache.
> 
> my questions are :
> 
> 2- if i used Freeradius, then what would be easy and rapide to implement
> a PAM module or using JRadius (i tried to install Jradius patch, but
> didn't succeed)? Did you advice me JRadius (I thougt about JRadius
> because the OTP validation programme is written in JAVA) ?
> 3- about PAM modules, I understand that we could use this independently
> from Freeradius Server. Is this true. would it be easier and fatser to
> implement a standalone PAM?
> 
> please need your advice. help me to choose :
> 
> - Freeradius+ PAM or
> - Freeradius+ JRadius or
> - Freeradius+ waht ? or
> - Apache + PAM or
> - standalone PAM ?? or
> - what
> 
> thanks in advance
> 
> 
> Lisa
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid

More information about the Pam-list mailing list