Password checking slip based on group membership (sshd)
Dragos P.
thenucker2004 at yahoo.com
Fri Oct 21 06:50:44 UTC 2011
Dear list,
I am trying to split the password checking based on the group id of the users logging through ssh
like this:
if user ingroup otp then
use pam_otp for password auth
else
use pam_unix for authentication
The passwords are different.
Consider 2 users: dragos dragos2
id dragos
uid=500(dragos) gid=500(dragos) groups=500(dragos),503(OTP)
id dragos2
uid=502(dragos2) gid=502(dragos2) groups=502(dragos2)
The configuration below is working fine but I am trying to solve 2 problems:
1. If a user has the gid 500 and pam_otp fails then it will default to pam_unix password
which I don't want.
2. I don't understand why the "pam_succeed.if.so quiet user ingroup otp" is not working.
Authentication fails with "permission denied" ? This is what I actually need.
/etc/pam.d/sshd
#%PAM-1.0
auth [default=1 success=ignore] pam_succeed_if.so quiet gid eq 500
auth sufficient pam_otp.so sshd
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
#auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Regards,
Dragos
More information about the Pam-list
mailing list