Per-User Authentication with Linux PAM?

Tomas Mraz tmraz at redhat.com
Wed Feb 17 10:38:05 UTC 2010


On Wed, 2010-02-17 at 11:17 +0100, Alessandro Bottoni wrote: 
> Il 17/02/2010 09:49, Tomas Mraz ha scritto:
> >> Maybe it is possible to user either pam_usb or pam_obc on the same user,
> >> playing with the order of the configuration lines in the common-auth
> >> file and/or with the "controls" ("requisite", "required", "sufficient",
> >> "optional", etc.). I did not try yet...
> > 
> > You can use jumps in the configuration and pam_succeed_if or
> > pam_listfile to do the decision. If you had more than two different auth
> > stacks required, it would make the configuration really ugly, but for
> > just two different stacks it would be manageable.
> > 
> > Example: 
> > auth [success=2 default=ignore] pam_succeed_if.so user in localuser1:localuser2
> > auth sufficient pam_remoteauth.so
> > auth requisite pam_deny.so
> > auth sufficient pam_localauth.so
> > auth requisite pam_deny.so
> > 
> > The success=2 tells the libpam to skip the next two modules if the user
> > is not in the local user list (the user is not localuser1 or
> > localuser2).
> 
> Hi Tomas,
> many thanks for your suggestion. It looks like it can solve my problem.
> I just have a small doubt...
> 
> Did you actually mean: "The success=2 tells the libpam to skip the next
> two modules if the user is /in/ the local user list (the user is
> /either/ localuser1 /or/ localuser2)."
Yes, my typo.

> Apparently, if the user is a localuser, then PAM should perform the
> pam_localauth authentication. Am I wrong?
No, you're right.
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb




More information about the Pam-list mailing list