oath-toolkit-help
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] One Time Password in SLiM


From: Christian Hesse
Subject: Re: [OATH-Toolkit-help] One Time Password in SLiM
Date: Sat, 30 Apr 2011 10:41:44 +0200

Simon Josefsson <address@hidden> on Sat, 30 Apr 2011 09:05:41 +0200:
> Christian Hesse <address@hidden> writes:
> 
> > Christian Hesse <address@hidden> on Fri, 29 Apr 2011 22:24:19 +0200:
> >> xscreensaver to go...
> >
> > This is gonna be kind of monologue... :D
> >
> > Ok, here are the new facts: Authentication succeeds if I add 'alwaysok' to
> > pam_oath. So the communication between xscreensaver and pam_oath is ok.
> > Does the pam module have a problem accessing the usersfile? xscreensaver
> > is run as user (uid 1000 or something...).
> ...
> > [pam_oath.c:pam_sm_authenticate(303)] authenticate rc -11 last otp Thu
> > Jan  1 01:00:00 1970
> 
> -11 means OATH_NO_SUCH_FILE, i.e., the usersfile could not be
> found/opened.  The usersfile is normally owned by root and no other has
> access.

It is. ;) Surely this file should not be world readable.

> It could be a configuration error, how does your xscreensaver
> PAM line look like?

It's the same line I user for slim, su, ...

> How does xscreensaver/pam_unix solve this for
> e.g. /etc/shadow?  Doesn't xscreensaver have to be setuid-root for
> things to work?

No, xscreensaver is not set setuid-root. Usually it does not need to if it
uses pam. pam_unix has a little helper program /sbin/unix_chkpwd. This one is
setuid-root. Do we need something like that as well?

> Btw, I find your "monologue" interesting, it is the kind of feedback
> that is important -- we don't know where pam_oath works without someone
> testing it and reporting about it.

:D
-- 
Schoene Gruesse
Chris



reply via email to

[Prev in Thread] Current Thread [Next in Thread]