Per-User Authentication with Linux PAM?
Nick Owen
nowen at wikidsystems.com
Wed Feb 17 13:45:25 UTC 2010
On Wed, Feb 17, 2010 at 3:17 AM, Alessandro Bottoni <alexbottoni at yahoo.it>wrote:
> Il 16/02/2010 22:20, Marc Weber ha scritto:
> > Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100
> 2010:
> >> Hi All,
> >> I'm looking for a way (a module, a technique) to perform the usual
> >> (local) Linux-PAM authentication on a per-user basis. That is: I need to
> >> have a different authentication stack for each user of a Linux machine.
> > Maybe you should talk about the real problem you're trying to solve as
> > well. Maybe there is another simple solution to get your job done?
>
> Hi Marc,
> well, actually, I'm trying to answer a quite strange request in the most
> elegant way I can.
>
> I have to configure a Ubuntu server in such a way that two different
> users will be able to authenticate in the following two different ways.
>
> 1) A "local" user should be able to authenticate at the local/physical
> console using a two-factors scheme based on pam_usb (username, password
> and a USB flash memory). The USB flash memory will be used as a cheap ID
> token.
>
> 2) A "remote" user should be able to authenticate via Internet (via
> telnet/ssh or even via VNC/NX) using a two-factors scheme based on
> pam_obc (username, password and a one-time password sent to the user's
> cellphone via SMS using sendEmail and a free email/SMS gateway). That
> is: the SIM of the cellphone will be used as a commodity ID token.
>
> (Both users will be sudoers and the root account will be disabled, as
> usual on Ubuntu)
>
> The customer explicitly asked for a two-factors (password plus physical
> element) strong authentication so SSH alone is not enough (at least, as
> long as I know). Before falling back to Aladdin's eToken, Yubico's
> Yubikey or RSA SecurID I would like to try a cheaper and more manageable
> solution based on COTS components (USB keys and GSM cellphones).
>
> To be honest, the "local" and "remote" user could be merged in a single
> "generic" profile. We just do not want to send the useless email/SMS
> message when the user authenticates locally using the USB key (and, of
> course, the system must not ask a remote user for his USB key).
>
> Maybe it is possible to user either pam_usb or pam_obc on the same user,
> playing with the order of the configuration lines in the common-auth
> file and/or with the "controls" ("requisite", "required", "sufficient",
> "optional", etc.). I did not try yet...
>
> Any suggestion?
>
I may be missing something, but it seems to me that you can set
/etc/pam.d/login to use pam_usb and then set /etc/pam.d/sshd to use radius
or whatever method you'd like for remote access, correct?
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20100217/1866a619/attachment.htm>
More information about the Pam-list
mailing list