[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pam_oath: unable to use user_unknown

From: Mark Hills
Subject: pam_oath: unable to use user_unknown
Date: Tue, 2 Feb 2021 13:12:09 +0000 (GMT)

I am using pam_oath over SSH, with the aim that logins are principally via 
SSH key. If that is successful, there should be an OATH step for some 

So if a user doesn't have an entry in /etc/users.oath, they should pass 
that step.

I've reduced /etc/pam.d/sshd to a single line for testing:

  auth [success=done user_unknown=done default=die] pam_oath.so 
usersfile=/etc/users.oath window=30 digits=6 debug

Where there is an entry in /etc/users.auth, the results are as expected.

But for users not listed, OATH prompt is still shown, and always fails.

The issue is compounded by a lack of debug information, despite the 
"debug" flag to pam_auth. Where does this debug go?

I'm running "/usr/sbin/sshd -dd" and using "ssh -v" to login, but no debug 
messages are seen at either console, or syslog.

I note pam_oath sends debug to stdout, is this the correct design or 
should it be stderr?

The target system is Alpine Linux with its "openssh-server-pam"; linux-pam 
1.3.1; oath-toolkit 2.6.2. The relevant SSH configuration is:

  PubkeyAuthentication yes
  PasswordAuthentication no
  ChallengeResponseAuthentication yes
  UsePAM yes
  AuthenticationMethods publickey,keyboard-interactive



reply via email to

[Prev in Thread] Current Thread [Next in Thread]