On Wed, 2018-01-31 at 14:18 -0700, Orion Poplawski wrote: > I'm trying to work out a pam configuration that will always require a > OTP via > google_authenticator in combination with any other auth method - > gssapi, key, > or password. > > I've tried to this with this sshd config: > > # Kerberos / Public Key + PAM > AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam > publickey,keyboard-interactive:pam password,keyboard-interactive:pam > > and pam: > > > > auth substack password-auth > > > The idea being that if ga prompts for a token, we're done, and sshd's > password > auth handles the password case. But SSH password auth also calls the PAM stack. So I am not actually sure this would work. > But with this config, sshd fails with: > > sshd[23879]: pam_sss(sshd:auth): authentication success; logname= > uid=0 euid=0 > tty=ssh ruser= rhost= user=USER > sshd[23879]: debug1: PAM: password authentication failed for USER: > The return > value should be ignored by PAM dispatch > > > Which may be a bug/limitation in sshd, but I don't think I'm able to > fix that. Would 'auth sufficient pam_google_authenticator.so' work? > At this point I'm think of something like: > > auth [success=done > new_authtok_reqd=done] pam_google_authenticator.so > auth sufficient "return success if no auth token is given" > auth substack password-auth > > But how to achieve it? Thanks. > -- Tomáš Mráz No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list