Strange pam configuration help needed
Tomas Mraz
tmraz at redhat.com
Thu Feb 1 09:47:13 UTC 2018
On Wed, 2018-01-31 at 14:18 -0700, Orion Poplawski wrote:
> I'm trying to work out a pam configuration that will always require a
> OTP via
> google_authenticator in combination with any other auth method -
> gssapi, key,
> or password.
>
> I've tried to this with this sshd config:
>
> # Kerberos / Public Key + PAM
> AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam
> publickey,keyboard-interactive:pam password,keyboard-interactive:pam
>
> and pam:
>
>
>
> auth substack password-auth
>
>
> The idea being that if ga prompts for a token, we're done, and sshd's
> password
> auth handles the password case.
But SSH password auth also calls the PAM stack. So I am not actually
sure this would work.
> But with this config, sshd fails with:
>
> sshd[23879]: pam_sss(sshd:auth): authentication success; logname=
> uid=0 euid=0
> tty=ssh ruser= rhost= user=USER
> sshd[23879]: debug1: PAM: password authentication failed for USER:
> The return
> value should be ignored by PAM dispatch
>
>
> Which may be a bug/limitation in sshd, but I don't think I'm able to
> fix that.
Would 'auth sufficient pam_google_authenticator.so' work?
> At this point I'm think of something like:
>
> auth [success=done
> new_authtok_reqd=done] pam_google_authenticator.so
> auth sufficient "return success if no auth token is given"
> auth substack password-auth
>
> But how to achieve it? Thanks.
>
--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]
More information about the Pam-list
mailing list