Re: multiple password prompts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Tue, Jun 7, 2011 at 8:14 PM, Darren Tucker <dtucker@xxxxxxxxxx> wrote:
> On Wed, Jun 8, 2011 at 2:17 AM, Nick Owen <nowen@xxxxxxxxxxxxxxxx> wrote:
>> Greetings:
>> I am trying to find out if it is possible to have PAM prompt for
>> two-passwords, once for a kerberos request to AD and a second to an
>> OTP server via pam-radius on Redhat/centos. Setting both as required
>> results in :
>> Jun  7 12:09:15 localhost sshd[25196]: debug1: userauth-request for
>> user nowen service ssh-connection method password
> Yes but you can't use ssh password authentication (a single simple
> password), instead you need to use keyboard-interactive.
> With an openssh you can test this on the client side with "ssh -o
> preferredauthentications=keyboard-interactive yourserver", and you can
> configure the server with "PasswordAuthentication no",
> "ChallengeResponseAuthentication yes" and
> "KbdInteractiveAuthentication yes".  This will probably only work with
> ssh Protocol 2.

hmm, then what should I have for my /etc/pam.d/sshd?  I was hoping that:

auth       include     system-auth debug
auth       required    /lib/security/ try_first_pass debug
account    required
account    include      system-auth
password   include      system-auth
session    optional force revoke
session    include      system-auth
session    required

Would prompt the user for their system password first, then ask for
the radius password, but all the password attempts are going to the
radius server.  The radius server is actually our OTP server, so of
course, the system password is failing.

Thanks for the help!


Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux