multiple password prompts
Nick Owen
nowen at wikidsystems.com
Thu Jun 9 15:12:12 UTC 2011
On Tue, Jun 7, 2011 at 8:14 PM, Darren Tucker <dtucker at zip.com.au> wrote:
> On Wed, Jun 8, 2011 at 2:17 AM, Nick Owen <nowen at wikidsystems.com> wrote:
>> Greetings:
>>
>> I am trying to find out if it is possible to have PAM prompt for
>> two-passwords, once for a kerberos request to AD and a second to an
>> OTP server via pam-radius on Redhat/centos. Setting both as required
>> results in :
>>
>> Jun 7 12:09:15 localhost sshd[25196]: debug1: userauth-request for
>> user nowen service ssh-connection method password
>
> Yes but you can't use ssh password authentication (a single simple
> password), instead you need to use keyboard-interactive.
>
> With an openssh you can test this on the client side with "ssh -o
> preferredauthentications=keyboard-interactive yourserver", and you can
> configure the server with "PasswordAuthentication no",
> "ChallengeResponseAuthentication yes" and
> "KbdInteractiveAuthentication yes". This will probably only work with
> ssh Protocol 2.
hmm, then what should I have for my /etc/pam.d/sshd? I was hoping that:
auth include system-auth debug
auth required /lib/security/pam_radius_auth.so try_first_pass debug
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Would prompt the user for their system password first, then ask for
the radius password, but all the password attempts are going to the
radius server. The radius server is actually our OTP server, so of
course, the system password is failing.
Thanks for the help!
nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
More information about the Pam-list
mailing list