Per-User Authentication with Linux PAM?
Tomas Mraz
tmraz at redhat.com
Wed Feb 17 08:49:04 UTC 2010
On Wed, 2010-02-17 at 09:17 +0100, Alessandro Bottoni wrote:
> Il 16/02/2010 22:20, Marc Weber ha scritto:
> > Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010:
> >> Hi All,
> >> I'm looking for a way (a module, a technique) to perform the usual
> >> (local) Linux-PAM authentication on a per-user basis. That is: I need to
> >> have a different authentication stack for each user of a Linux machine.
> > Maybe you should talk about the real problem you're trying to solve as
> > well. Maybe there is another simple solution to get your job done?
>
> Hi Marc,
> well, actually, I'm trying to answer a quite strange request in the most
> elegant way I can.
>
> I have to configure a Ubuntu server in such a way that two different
> users will be able to authenticate in the following two different ways.
>
> 1) A "local" user should be able to authenticate at the local/physical
> console using a two-factors scheme based on pam_usb (username, password
> and a USB flash memory). The USB flash memory will be used as a cheap ID
> token.
>
> 2) A "remote" user should be able to authenticate via Internet (via
> telnet/ssh or even via VNC/NX) using a two-factors scheme based on
> pam_obc (username, password and a one-time password sent to the user's
> cellphone via SMS using sendEmail and a free email/SMS gateway). That
> is: the SIM of the cellphone will be used as a commodity ID token.
>
> (Both users will be sudoers and the root account will be disabled, as
> usual on Ubuntu)
>
> The customer explicitly asked for a two-factors (password plus physical
> element) strong authentication so SSH alone is not enough (at least, as
> long as I know). Before falling back to Aladdin's eToken, Yubico's
> Yubikey or RSA SecurID I would like to try a cheaper and more manageable
> solution based on COTS components (USB keys and GSM cellphones).
>
> To be honest, the "local" and "remote" user could be merged in a single
> "generic" profile. We just do not want to send the useless email/SMS
> message when the user authenticates locally using the USB key (and, of
> course, the system must not ask a remote user for his USB key).
>
> Maybe it is possible to user either pam_usb or pam_obc on the same user,
> playing with the order of the configuration lines in the common-auth
> file and/or with the "controls" ("requisite", "required", "sufficient",
> "optional", etc.). I did not try yet...
You can use jumps in the configuration and pam_succeed_if or
pam_listfile to do the decision. If you had more than two different auth
stacks required, it would make the configuration really ugly, but for
just two different stacks it would be manageable.
Example:
auth [success=2 default=ignore] pam_succeed_if.so user in localuser1:localuser2
auth sufficient pam_remoteauth.so
auth requisite pam_deny.so
auth sufficient pam_localauth.so
auth requisite pam_deny.so
The success=2 tells the libpam to skip the next two modules if the user
is not in the local user list (the user is not localuser1 or
localuser2).
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
More information about the Pam-list
mailing list