I'm writing a PAM module to do authentication through Signal (as in Open Whisper Systems) [1]. I would like to be able to offer (Public key AND Signal) or (Password AND Signal) for authentication. This suggests setting AuthenticationMethods to publickey,keyboard-interactive:pam password,keyboard-interactive:pam However, when PAM is enabled "password" means "show password prompt, then do PAM", which is a problem because my PAM does Signal auth, not password auth, and the above results in all login attempts failing. Clearly sshd knows how to do password auth without PAM because it works even when PAM is disabled, so I wonder if there is some way to request that "password" does not use PAM even when PAM is enabled? Ideally one could specify something like password:nopam password:builtin Or another solution would be to allow multiple different PAM modules to be called instead of requiring it all to be lumped into /etc/pam.d/sshd. Then one could specify something like PAMFiles /etc/pam.d/sshd* AuthenticationMethods keyboard-interactive:pam:sshd-pass,keyboard-interactive:pam:sshd-signal Does this kind of functionality already exist, and if not would it be feasible to implement? Thank you for your help, James Murphy [1] https://github.com/kb100/signal-authenticator _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
