Per-User Authentication with Linux PAM?
Alessandro Bottoni
alexbottoni at yahoo.it
Wed Feb 17 10:17:37 UTC 2010
Il 17/02/2010 09:49, Tomas Mraz ha scritto:
>> Maybe it is possible to user either pam_usb or pam_obc on the same user,
>> playing with the order of the configuration lines in the common-auth
>> file and/or with the "controls" ("requisite", "required", "sufficient",
>> "optional", etc.). I did not try yet...
>
> You can use jumps in the configuration and pam_succeed_if or
> pam_listfile to do the decision. If you had more than two different auth
> stacks required, it would make the configuration really ugly, but for
> just two different stacks it would be manageable.
>
> Example:
> auth [success=2 default=ignore] pam_succeed_if.so user in localuser1:localuser2
> auth sufficient pam_remoteauth.so
> auth requisite pam_deny.so
> auth sufficient pam_localauth.so
> auth requisite pam_deny.so
>
> The success=2 tells the libpam to skip the next two modules if the user
> is not in the local user list (the user is not localuser1 or
> localuser2).
Hi Tomas,
many thanks for your suggestion. It looks like it can solve my problem.
I just have a small doubt...
Did you actually mean: "The success=2 tells the libpam to skip the next
two modules if the user is /in/ the local user list (the user is
/either/ localuser1 /or/ localuser2)."
Apparently, if the user is a localuser, then PAM should perform the
pam_localauth authentication. Am I wrong?
Thanks again
--
Alessandro Bottoni
Website: http://www.alessandrobottoni.it/
"Beauty is a form of genius - is higher, indeed, than genius, as it
needs no explanation."
-- Oscar Wilde
More information about the Pam-list
mailing list