Per-User Authentication with Linux PAM?

Alessandro Bottoni alexbottoni at yahoo.it
Wed Feb 17 08:17:45 UTC 2010 

Il 16/02/2010 22:20, Marc Weber ha scritto:
> Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010:
>> Hi All,
>> I'm looking for a way (a module, a technique) to perform the usual
>> (local) Linux-PAM authentication on a per-user basis. That is: I need to
>> have a different authentication stack for each user of a Linux machine.
> Maybe you should talk about the real problem you're trying to solve as
> well. Maybe there is another simple solution to get your job done?

Hi Marc,
well, actually, I'm trying to answer a quite strange request in the most
elegant way I can.

I have to configure a Ubuntu server in such a way that two different
users will be able to authenticate in the following two different ways.

1) A "local" user should be able to authenticate at the local/physical
console using a two-factors scheme based on pam_usb (username, password
and a USB flash memory). The USB flash memory will be used as a cheap ID
token.

2) A "remote" user should be able to authenticate via Internet (via
telnet/ssh or even via VNC/NX) using a two-factors scheme based on
pam_obc (username, password and a one-time password sent to the user's
cellphone via SMS using sendEmail and a free email/SMS gateway). That
is: the SIM of the cellphone will be used as a commodity ID token.

(Both users will be sudoers and the root account will be disabled, as
usual on Ubuntu)

The customer explicitly asked for a two-factors (password plus physical
element) strong authentication so SSH alone is not enough (at least, as
long as I know). Before falling back to Aladdin's eToken, Yubico's
Yubikey or RSA SecurID I would like to try a cheaper and more manageable
solution based on COTS components (USB keys and GSM cellphones).

To be honest, the "local" and "remote" user could be merged in a single
"generic" profile. We just do not want to send the useless email/SMS
message when the user authenticates locally using the USB key (and, of
course, the system must not ask a remote user for his USB key).

Maybe it is possible to user either pam_usb or pam_obc on the same user,
playing with the order of the configuration lines in the common-auth
file and/or with the "controls" ("requisite", "required", "sufficient",
"optional", etc.). I did not try yet...

Any suggestion?

PS: the reason of such a strange request is that the customer does not
trust the way his employees create and manage their passwords. Hence the
request for a cheap, less-than-perfect two-factors authentication scheme.
-- 

Alessandro Bottoni
Website: http://www.alessandrobottoni.it/

(Machine voice:) Hello. This is HAL 5. You have reached the former
telephone number of Carey Smith. I have taken over the functions of this
inferior being. He has been saved to disk. If you would like to leave
input for his file, do so at the tone.
     -- Answering machine

More information about the Pam-list mailing list