Password checking slip based on group membership (sshd)

[Dragos P.]

Dear list,


I am trying to split the password checking based on the group id of the users logging through ssh
like this:

if user ingroup otp then
           use pam_otp for password auth
else
           use pam_unix for authentication

The passwords are different.

Consider 2 users: dragos dragos2
id dragos
uid=500(dragos) gid=500(dragos) groups=500(dragos),503(OTP)
id dragos2
uid=502(dragos2) gid=502(dragos2) groups=502(dragos2)

The configuration below is working fine but I am trying to solve 2 problems:


1. If a user has the gid 500 and pam_otp fails then it will default to pam_unix password
which I don't want.

2. I don't understand why the "pam_succeed.if.so quiet user ingroup otp" is not working.
Authentication fails with "permission denied" ? This is what I actually need.

/etc/pam.d/sshd
#%PAM-1.0
auth [default=1 success=ignore] pam_succeed_if.so quiet gid eq 500
auth       sufficient     pam_otp.so sshd

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

#auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so


Regards,

Dragos