Trouble with pam_unix and pam_opie
Dan Yefimov
dan at nf15.lightwave.net.ru
Tue Oct 28 23:42:32 UTC 2008
On 29.10.2008 1:22, Nikolaus Rath wrote:
> Hello,
>
> I am trying to set up a configuration that allows me to log in either
> using my ordinary unix password or using a one time password.
>
> I am using the following configuration:
>
> auth sufficient pam_opie.so
> auth sufficient pam_unix.so nullok_secure try_first_pass
> auth required pam_deny.so
>
>
> This works perfectly with ssh. I immediately can enter either my unix
> password or the correct OTP and I'm logged in.
>
> For some strange reason, the very same configuration does not work for
> imap (cyrus via saslauthd) or Apache (via pwauth) though. Even worse,
> the only log output I can find is from sasldauthd (which mediates the
> imap authentification):
>
> Oct 17 18:26:22 ebox saslauthd[21819]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=nikratio
> Oct 17 18:26:23 ebox saslauthd[21819]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
> Oct 17 18:26:23 ebox saslauthd[21819]: do_auth : auth failure: [user=nikratio] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
>
> which really doesn't tell me much. Therefore I'm not even sure where
> to start looking for the problem.
>
> Can someone tell me if there is a way to get a reasonable debug output
> from the pam modules?
>
Commonly, debug output can be obtained by specifying 'debug' as an additional
module command line parameter. For details you can check READMEs supplied with
PAM modules. pam_opie in general won't work with saslauthd and Apache pwauth due
to the way they work. You should look for the OTP SASL mechanism module and
Apache OTP authentication module, I'm afraid.
--
Sincerely Your, Dan.
More information about the Pam-list
mailing list