Dear list, I am trying to split the password checking based on the group id of the users logging through ssh like this: if user ingroup otp then use pam_otp for password auth else use pam_unix for authentication The passwords are different. Consider 2 users: dragos dragos2 id dragos uid=500(dragos) gid=500(dragos) groups=500(dragos),503(OTP) id dragos2 uid=502(dragos2) gid=502(dragos2) groups=502(dragos2) The configuration below is working fine but I am trying to solve 2 problems: 1. If a user has the gid 500 and pam_otp fails then it will default to pam_unix password which I don't want. 2. I don't understand why the "pam_succeed.if.so quiet user ingroup otp" is not working. Authentication fails with "permission denied" ? This is what I actually need. /etc/pam.d/sshd #%PAM-1.0 auth [default=1 success=ignore] pam_succeed_if.so quiet gid eq 500 auth sufficient pam_otp.so sshd auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so #auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so Regards, Dragos _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
