I have a cookie-cutter problem here so I'm hoping this question doesn't sound
too dumb.
I want to use Vasco GO-3 tokens in a project. These are the OTP tokens with no
keypad; you hit a single button and it spits back a 6 digit OTP. To protect
against the token being stolen we append a password to the OTP. The combined OTP
plus password is what gets submitted as the authentication token to PAM.
ie, XXXXXX => OTP
YYYY => password
XXXXXXYYYY => what I enter in the password field when authenticating
I have a RADIUS server that understands the XXXXXXYYYY format. The RADIUS server
confirms the XXXXXX OTP is correct using a local database and that the YYYY
password is correct against a Kerberos server. This all works fine using
pam_radius on the client machine.
What I'd like to do now is to chain pam_krb5 after pam_radius so the ticket
cache is primed. This will result in a double authentication against the
kerberos server but I'm cool with that. The problem is that the authentication
token XXXXXXYYYY isn't useful for pam_krb5; I only want the YYYY password.
Is there a standard way to modify the authentication token inside PAM? Perhaps a
pam_modify_authtok module?
Or am I approaching this problem the wrong way?
_______________________________________________
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
