Strange pam configuration help needed

Orion Poplawski orion at nwra.com
Wed Jan 31 21:18:59 UTC 2018


I'm trying to work out a pam configuration that will always require a OTP via
google_authenticator in combination with any other auth method - gssapi, key,
or password.

I've tried to this with this sshd config:

# Kerberos / Public Key + PAM
AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam
publickey,keyboard-interactive:pam password,keyboard-interactive:pam

and pam:


auth   [success=done new_authtok_reqd=done default=ok]
pam_google_authenticator.so
auth       substack     password-auth


The idea being that if ga prompts for a token, we're done, and sshd's password
auth handles the password case.

But with this config, sshd fails with:

sshd[23879]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0
tty=ssh ruser= rhost= user=USER
sshd[23879]: debug1: PAM: password authentication failed for USER: The return
value should be ignored by PAM dispatch


Which may be a bug/limitation in sshd, but I don't think I'm able to fix that.

At this point I'm think of something like:

auth       [success=done new_authtok_reqd=done]    pam_google_authenticator.so
auth       sufficient   "return success if no auth token is given"
auth       substack     password-auth

But how to achieve it?  Thanks.

-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/




More information about the Pam-list mailing list