Re: Per-User Authentication with Linux PAM?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Wed, Feb 17, 2010 at 3:17 AM, Alessandro Bottoni <alexbottoni@xxxxxxxx> wrote:
Il 16/02/2010 22:20, Marc Weber ha scritto:
> Excerpts from Alessandro Bottoni's message of Tue Feb 16 10:46:26 +0100 2010:
>> Hi All,
>> I'm looking for a way (a module, a technique) to perform the usual
>> (local) Linux-PAM authentication on a per-user basis. That is: I need to
>> have a different authentication stack for each user of a Linux machine.
> Maybe you should talk about the real problem you're trying to solve as
> well. Maybe there is another simple solution to get your job done?

Hi Marc,
well, actually, I'm trying to answer a quite strange request in the most
elegant way I can.

I have to configure a Ubuntu server in such a way that two different
users will be able to authenticate in the following two different ways.

1) A "local" user should be able to authenticate at the local/physical
console using a two-factors scheme based on pam_usb (username, password
and a USB flash memory). The USB flash memory will be used as a cheap ID

2) A "remote" user should be able to authenticate via Internet (via
telnet/ssh or even via VNC/NX) using a two-factors scheme based on
pam_obc (username, password and a one-time password sent to the user's
cellphone via SMS using sendEmail and a free email/SMS gateway). That
is: the SIM of the cellphone will be used as a commodity ID token.

(Both users will be sudoers and the root account will be disabled, as
usual on Ubuntu)

The customer explicitly asked for a two-factors (password plus physical
element) strong authentication so SSH alone is not enough (at least, as
long as I know). Before falling back to Aladdin's eToken, Yubico's
Yubikey or RSA SecurID I would like to try a cheaper and more manageable
solution based on COTS components (USB keys and GSM cellphones).

To be honest, the "local" and "remote" user could be merged in a single
"generic" profile. We just do not want to send the useless email/SMS
message when the user authenticates locally using the USB key (and, of
course, the system must not ask a remote user for his USB key).

Maybe it is possible to user either pam_usb or pam_obc on the same user,
playing with the order of the configuration lines in the common-auth
file and/or with the "controls" ("requisite", "required", "sufficient",
"optional", etc.). I did not try yet...

Any suggestion?

I may be missing something, but it seems to me that you can set /etc/pam.d/login to use pam_usb and then set /etc/pam.d/sshd to use radius or whatever method you'd like for remote access, correct?
Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux