[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] pam_oath and pam_ldap together?
|
From: |
Ilkka Virta |
|
Subject: |
Re: [OATH-Toolkit-help] pam_oath and pam_ldap together? |
|
Date: |
Fri, 22 May 2015 14:38:29 +0300 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
On 19.5. 13:25, Simon Josefsson wrote:
Patrick Proniewski <address@hidden> writes:
Is it possible to authenticate on a server through pam_ldap (non-local
users) with the added security of pam_oath?
It depends.
You could do it the same way as with pam_unix:
/etc/pam.d/common-auth:
auth required pam_unix.so nullok_secure
auth required pam_oath.so debug usersfile=/etc/users.oath
window=3
plink:~$ ssh address@hidden " echo OK! "
Password:
One-time password (OATH) for `cartman':
OK!
(and set ChallengeResponseAuthentication yes and UsePAM yes in sshd_config)
That should work with pam_ldap too, but the major downside is that you
need to have the usersfile locally and the keys cannot be shared between
machines. Another feature of that configuration is that since the
authentication steps are totally separate, the OTP counter will advance
whenever the OTP is correct, even if the static password is invalid.
If you want to have the OTP keys centralized in LDAP, then I don't know
if there is anything ready-made for that.
No, not to my knowledge. A lot of PAM
modules include LDAP support natively to adress this use-case.
Hmm, what modules are there that do it?
--
Ilkka Virta <address@hidden>