[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] [patch] Allow ignoring password in pam_unix user

From: Simon Josefsson
Subject: Re: [OATH-Toolkit-help] [patch] Allow ignoring password in pam_unix usersfile
Date: Fri, 04 Jan 2013 11:43:11 +0100
User-agent: Gnus/5.130006 (Ma Gnus v0.6) Emacs/24.3.50 (gnu/linux)

Ilkka Virta <address@hidden> writes:

> Hi,
> pam_oath currently has the capability to read a static password in
> addition to the OTP. The static part of the password is also saved
> to PAM_AUTHTOK, and it could be used by another module in the PAM
> stack, for example pam_unix.so try_first_pass.
> However, pam_oath also always checks the password against the one in
> the usersfile, so getting pam_oath and pam_unix to authenticate
> using a simple prompt is impossible.

Hello!  Good point.

Can you share a configuration which allows you to verify an OTP using
pam_oath and the password using some other PAM module?

I think people rightly have expressed unhappiness with putting passwords
in a file like the usersfile.  Possibly this example configuration
should be in the README, and this method should be recommended instead
of the current one.

Did you notice any difference in the way the PAM user prompts behaved
with a configuration like that?

> I can't tell from the documentation what the semantics regarding this
> are supposed to be, so I suggest changing the usersfile handling such
> that if the saved password is '*' (a lone asterisk), the password
> check is disabled, allowing the use of pam_unix to check the static
> part of the password. The attached patch implements this.

Thank you, applied.  I used + instead of * for compatibility with


reply via email to

[Prev in Thread] Current Thread [Next in Thread]