Multiple PAM stacks for multi-factor auth

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I'd like to permit authentication by either public key followed by second factor, OR password followed by second factor. It seems the sshd configuration ought to be:

UsePam yes
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive password,keyboard-interactive

For most purposes, "UsePam yes" makes password and keyboard-interactive do the same thing - run the auth stack in sshd's PAM config. Thus the second choice in AuthenticationMethods is repeating the same policy, where what I want is to do a password check via pam_unix, and then run the 2nd-factor module. I can combine the checks in /etc/pam.d/sshd to make it work and then use a single "keyboard-interactive" method

auth requisite pam_unix.so
auth required pam_duo/yubico/google_authenticator/etc.so

but now the "publickey,keyboard-interactive" method requires public key, then password, then 2nd factor, and I haven't found a solution. I searched and found the Fedora encountered a similar problem and chose to add handling multiple PAM stacks. The discussion in http://fedoraproject.org/wiki/Features/MultiplePAMStacksInGDM is informative. Can OpenSSH add a way to run different rule sets in the syntax of AuthenticationMethods to make these configurations possible?
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux