I am trying to have the RSA be the first authenticator. If the RSA server is not available I would like the pam_stack.so to be used.
What I currently get is RSA authentication-that works. If the user types their etc/passwd they can still get in that way. If the RSA server does not respond then the etc/passwd process still works.
I have tried mofiying /etc/pam.d/sshd (my testing is using ssh) and ended up with
snip---
#%PAM-1.0
auth [ \
success=done \
auth_err=ignore \
ignore=ignore \
default=bad \
] \
/opt/pam/lib/pam_securid.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so---snip
It appears that modifying the value=action pair of auth_err causes variations in the progress through the modules. I have not found any other pair that seems to affect the authentication stopping or continuing. (except success).
I'm not sure that RSA is playing nice but, no way to tell. I plan on contacting them to see if they can give me some guidance on what they are doing PAM wise.
This testing is occuring on a redhat 7.2 box. RPM is pam-0.75-46.7.2
Thanks for any help with this.
Luke
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
