Il 16/02/2010 22:20, Marc Weber ha scritto: > Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010: >> Hi All, >> I'm looking for a way (a module, a technique) to perform the usual >> (local) Linux-PAM authentication on a per-user basis. That is: I need to >> have a different authentication stack for each user of a Linux machine. > Maybe you should talk about the real problem you're trying to solve as > well. Maybe there is another simple solution to get your job done? Hi Marc, well, actually, I'm trying to answer a quite strange request in the most elegant way I can. I have to configure a Ubuntu server in such a way that two different users will be able to authenticate in the following two different ways. 1) A "local" user should be able to authenticate at the local/physical console using a two-factors scheme based on pam_usb (username, password and a USB flash memory). The USB flash memory will be used as a cheap ID token. 2) A "remote" user should be able to authenticate via Internet (via telnet/ssh or even via VNC/NX) using a two-factors scheme based on pam_obc (username, password and a one-time password sent to the user's cellphone via SMS using sendEmail and a free email/SMS gateway). That is: the SIM of the cellphone will be used as a commodity ID token. (Both users will be sudoers and the root account will be disabled, as usual on Ubuntu) The customer explicitly asked for a two-factors (password plus physical element) strong authentication so SSH alone is not enough (at least, as long as I know). Before falling back to Aladdin's eToken, Yubico's Yubikey or RSA SecurID I would like to try a cheaper and more manageable solution based on COTS components (USB keys and GSM cellphones). To be honest, the "local" and "remote" user could be merged in a single "generic" profile. We just do not want to send the useless email/SMS message when the user authenticates locally using the USB key (and, of course, the system must not ask a remote user for his USB key). Maybe it is possible to user either pam_usb or pam_obc on the same user, playing with the order of the configuration lines in the common-auth file and/or with the "controls" ("requisite", "required", "sufficient", "optional", etc.). I did not try yet... Any suggestion? PS: the reason of such a strange request is that the customer does not trust the way his employees create and manage their passwords. Hence the request for a cheap, less-than-perfect two-factors authentication scheme. -- Alessandro Bottoni Website: http://www.alessandrobottoni.it/ (Machine voice:) Hello. This is HAL 5. You have reached the former telephone number of Carey Smith. I have taken over the functions of this inferior being. He has been saved to disk. If you would like to leave input for his file, do so at the tone. -- Answering machine _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list