On Tue, Jun 7, 2011 at 8:14 PM, Darren Tucker <dtucker@xxxxxxxxxx> wrote: > On Wed, Jun 8, 2011 at 2:17 AM, Nick Owen <nowen@xxxxxxxxxxxxxxxx> wrote: >> Greetings: >> >> I am trying to find out if it is possible to have PAM prompt for >> two-passwords, once for a kerberos request to AD and a second to an >> OTP server via pam-radius on Redhat/centos. Setting both as required >> results in : >> >> Jun 7 12:09:15 localhost sshd[25196]: debug1: userauth-request for >> user nowen service ssh-connection method password > > Yes but you can't use ssh password authentication (a single simple > password), instead you need to use keyboard-interactive. > > With an openssh you can test this on the client side with "ssh -o > preferredauthentications=keyboard-interactive yourserver", and you can > configure the server with "PasswordAuthentication no", > "ChallengeResponseAuthentication yes" and > "KbdInteractiveAuthentication yes". This will probably only work with > ssh Protocol 2. hmm, then what should I have for my /etc/pam.d/sshd? I was hoping that: auth include system-auth debug auth required /lib/security/pam_radius_auth.so try_first_pass debug account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so Would prompt the user for their system password first, then ask for the radius password, but all the password attempts are going to the radius server. The radius server is actually our OTP server, so of course, the system password is failing. Thanks for the help! nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
