pam configuration for mobile one-time-password
Gergely Buday
gbuday at gmail.com
Fri Feb 10 12:03:59 UTC 2012
Hi,
I am trying to configure mobile one-time-password so that ssh
authenticates with that. See
http://motp.sourceforge.net/
for details. I was suggested to add
auth sufficient /lib64/security/pam_mobile_otp.so not_set_pass
password required /lib64/security/pam_mobile_otp.so debug
account required /lib64/security/pam_mobile_otp.so
to the beginning of /etc/pam.d/sshd . But it is not clear how should I
rewrite the default rest. Simply leaving the rest intact I get the
following behaviour: upon bad passcode I get "passcode not accepted"
in /var/log/messages. Upon good code nothing appears there, but the
login does not happen. What sequence of pam shared objects should run
on fedora 16 to make the login happen? Or, how should I rewrite the
lines below to make it work? I tried several variations but in vain.
Here is the rest of /etc/pam.d/sshd :
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
where postlogin is empty, and password-auth is
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
- Gergely
More information about the users
mailing list