pam configuration for mobile one-time-password

Gergely Buday gbuday at gmail.com
Fri Feb 10 12:03:59 UTC 2012 

Hi,

I am trying to configure mobile one-time-password so that ssh
authenticates with that. See

http://motp.sourceforge.net/

for details. I was suggested to add

auth       sufficient   /lib64/security/pam_mobile_otp.so not_set_pass
password   required     /lib64/security/pam_mobile_otp.so debug
account    required     /lib64/security/pam_mobile_otp.so

to the beginning of /etc/pam.d/sshd . But it is not clear how should I
rewrite the default rest. Simply leaving the rest intact I get the
following behaviour: upon bad passcode I get "passcode not accepted"
in /var/log/messages. Upon good code nothing appears there, but the
login does not happen. What sequence of pam shared objects should run
on fedora 16 to make the login happen? Or, how should I rewrite the
lines below to make it work? I tried several variations but in vain.

Here is the rest of /etc/pam.d/sshd :

auth      required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin

where postlogin is empty, and password-auth is

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so

- Gergely

More information about the users mailing list