I'm trying to work out a pam configuration that will always require a OTP via google_authenticator in combination with any other auth method - gssapi, key, or password. I've tried to this with this sshd config: # Kerberos / Public Key + PAM AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam publickey,keyboard-interactive:pam password,keyboard-interactive:pam and pam: auth [success=done new_authtok_reqd=done default=ok] pam_google_authenticator.so auth substack password-auth The idea being that if ga prompts for a token, we're done, and sshd's password auth handles the password case. But with this config, sshd fails with: sshd[23879]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=USER sshd[23879]: debug1: PAM: password authentication failed for USER: The return value should be ignored by PAM dispatch Which may be a bug/limitation in sshd, but I don't think I'm able to fix that. At this point I'm think of something like: auth [success=done new_authtok_reqd=done] pam_google_authenticator.so auth sufficient "return success if no auth token is given" auth substack password-auth But how to achieve it? Thanks. -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
