Password checking slip based on group membership (sshd)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Dear list,

I am trying to split the password checking based on the group id of the users logging through ssh
like this:

if user ingroup otp then
           use pam_otp for password auth
           use pam_unix for authentication

The passwords are different.

Consider 2 users: dragos dragos2
id dragos
uid=500(dragos) gid=500(dragos) groups=500(dragos),503(OTP)
id dragos2
uid=502(dragos2) gid=502(dragos2) groups=502(dragos2)

The configuration below is working fine but I am trying to solve 2 problems:

1. If a user has the gid 500 and pam_otp fails then it will default to pam_unix password
which I don't want.

2. I don't understand why the " quiet user ingroup otp" is not working.
Authentication fails with "permission denied" ? This is what I actually need.

auth [default=1 success=ignore] quiet gid eq 500
auth       sufficient sshd

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        required

#auth       include      system-auth
account    required
account    include      system-auth
password   include      system-auth
session    optional force revoke
session    include      system-auth
session    required



Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux