Password checking slip based on group membership (sshd)
- Subject: Password checking slip based on group membership (sshd)
- From: "Dragos P." <thenucker2004@xxxxxxxxx>
- Date: Thu, 20 Oct 2011 23:50:44 -0700 (PDT)
Dear list,
I am trying to split the password checking based on the group id of the users logging through ssh
like this:
if user ingroup otp then
use pam_otp for password auth
else
use pam_unix for authentication
The passwords are different.
Consider 2 users: dragos dragos2
id dragos
uid=500(dragos) gid=500(dragos) groups=500(dragos),503(OTP)
id dragos2
uid=502(dragos2) gid=502(dragos2) groups=502(dragos2)
The configuration below is working fine but I am trying to solve 2 problems:
1. If a user has the gid 500 and pam_otp fails then it will default to pam_unix password
which I don't want.
2. I don't understand why the "pam_succeed.if.so quiet user ingroup otp" is not working.
Authentication fails with "permission denied" ? This is what I actually need.
/etc/pam.d/sshd
#%PAM-1.0
auth [default=1 success=ignore] pam_succeed_if.so quiet gid eq 500
auth sufficient pam_otp.so sshd
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
#auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
Regards,
Dragos
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Fedora Users]
[Kernel]
[Red Hat Install]
[Linux for the blind]
[Gimp]
