FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 02-10-2012, 11:03 AM
Gergely Buday
 
Default pam configuration for mobile one-time-password

Hi,

I am trying to configure mobile one-time-password so that ssh
authenticates with that. See

http://motp.sourceforge.net/

for details. I was suggested to add

auth sufficient /lib64/security/pam_mobile_otp.so not_set_pass
password required /lib64/security/pam_mobile_otp.so debug
account required /lib64/security/pam_mobile_otp.so

to the beginning of /etc/pam.d/sshd . But it is not clear how should I
rewrite the default rest. Simply leaving the rest intact I get the
following behaviour: upon bad passcode I get "passcode not accepted"
in /var/log/messages. Upon good code nothing appears there, but the
login does not happen. What sequence of pam shared objects should run
on fedora 16 to make the login happen? Or, how should I rewrite the
lines below to make it work? I tried several variations but in vain.

Here is the rest of /etc/pam.d/sshd :

auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin

where postlogin is empty, and password-auth is

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so

- Gergely
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 
Old 02-10-2012, 01:27 PM
Gergely Buday
 
Default pam configuration for mobile one-time-password

By using a non-root userid it works. So the problem was with using
root in motp.conf. Sorry to bother the list with this but there is no
mailing list for the mobile one-time-password project.

- Gergely
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
 

Thread Tools




All times are GMT. The time now is 05:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org