[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] Bug or feature?

From: Thomas Samoht
Subject: [OATH-Toolkit-help] Bug or feature?
Date: Tue, 5 Feb 2019 22:10:24 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0

Mint 19.1 64 bit, current updates

Hi all,

my aim is to use a Feitian OTP generator (e.g. the c200) or alike to
have a 2FA on my linux system for a specific list of users. In order to
check, if that is possible, I wanted to start with just a single user
(=> "sophia"), and having the numbers be generated locally (i.e. before
buying the hardware generator)


I set up the oath toolkit and the pam_auth module as described in your
readme with a

cat /etc/users.oath
# Option user prefix seed
HOTP/T30/6      sophia  -       c6b4e2abb426a588e6f038dbf39dd6

and a line of
auth            required      pam_oath.so usersfile=/etc/users.oath
window=10 digits=6

just in "/etc/pam.d/su" right after the line with the pam_rootok.so (I
also tried in common-auth before the "default" block, as described
within there),

Then I tried a

        su - sophia

and as expected, I got a

        One-time password (OATH) for `sophia':

line and after entering the correct number (retrieved by oathtool
--totp), I was asked to enter the password of that user.

So far, so good, as this was exactly what I expected and what I wanted.
[and the line in users.oath was updated correctly]


However, then I tried "su - ", "su - root", or "su - otheruser", and
found that an OTP was also asked for those users.

Is this the intended behaviour or a bug? And what do I have to do to
have only an OTP-2FA for the users listed in the users.oath file?


With kind regards,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]