> On Wed, 2018-01-31 at 14:18 -0700, Orion Poplawski wrote: >> I'm trying to work out a pam configuration that will always require a >> OTP via >> google_authenticator in combination with any other auth method - >> gssapi, key, >> or password. >> >> I've tried to this with this sshd config: >> >> # Kerberos / Public Key + PAM >> AuthenticationMethods gssapi-with-mic,keyboard-interactive:pam >> publickey,keyboard-interactive:pam password,keyboard-interactive:pam >> >> and pam: >> >> >> >> auth substack password-auth >> >> >> The idea being that if ga prompts for a token, we're done, and sshd's >> password >> auth handles the password case. > > But SSH password auth also calls the PAM stack. So I am not actually > sure this would work. It does, but it calls it with a password specified which I believe by-passes the prompts for auth tokens. >> But with this config, sshd fails with: >> >> sshd[23879]: pam_sss(sshd:auth): authentication success; logname= >> uid=0 euid=0 >> tty=ssh ruser= rhost= user=USER >> sshd[23879]: debug1: PAM: password authentication failed for USER: >> The return >> value should be ignored by PAM dispatch >> >> >> Which may be a bug/limitation in sshd, but I don't think I'm able to >> fix that. > > Would 'auth sufficient pam_google_authenticator.so' work? That results in users without OTPs configured being prompted for their regular passwords twice when going the password route (since I'm also specifying nullok) - once by sshd (via password) and once via pam (through the keyboard route). But perhaps I just don't support that case. >> At this point I'm think of something like: >> >> auth [success=done >> new_authtok_reqd=done] pam_google_authenticator.so >> auth sufficient "return success if no auth token is given" >> auth substack password-auth >> >> But how to achieve it? Thanks. >> -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
