Creating a two man login module
Vladimir.Grujic at oriontelekom.rs
Wed Oct 16 20:49:17 CEST 2013
You can use google two factor authentication where each user provides the token for another paired user. Both of them hold they own passwords and the token is appended to it.
Connected by MOTOBLUR™
From: "PEOPLES, MICHAEL P" <mp4783 at att.com>
To: "freeradius-devel at lists.freeradius.org" <freeradius-devel at lists.freeradius.org>
Sent: Wed, Oct 16, 2013 18:21:06 GMT+00:00
Subject: Creating a two man login module
I am very new to RADIUS and C, so feel free to point and laugh.
On Red Hat Enterprise Linux 5, I wish to create a login module that would require the “consent” of two users before either could login.
I have already modified the pam_radius module to perform a few of the things I need and I know where to “intercept” the authentication process to control whether it is successful or not. When authenticating for sudo, the modified code seems to perform most of what I want. However, my problem is with initial system login.
What I cannot figure out is how to provide a prompt during the initial system login so that the two users can “interact”. I need to be able to do the following:
1. Provide a standard login prompt and accept the users PIN + Token
2. Generate and display a random number
3. Provide a prompt where that random number can be typed in
My experience with the pam_radius module gives me confidence that I can code the underlying “logic” of the process. What I can’t figure out is where do I code the prompts? There are suggestions that it is in one of the “getty” type processes, but I cannot figure it.
Any help would be very much appreciated, including the suggestion that what I’m trying to do is either ill-advised (I’m not sure why that would be) or extremely difficult (i.e. requires modifying the core kernel).
Michael Peoples (mp4783)
iGEMS COE, Deployment, Engineering, Application Support and Security
Global Service Assurance, M5
AT&T Business Solutions
Office: +1 614-886-0923
Mobile: +1 614-886-0923
Senior Systems Manager
mpeoples at att.com<mailto:mpeoples at att.com>
This e-mail and any files transmitted with it are AT&T property, are confidential, and are intended solely for the use of the individual or entity to whom this email is addressed. If you are not one of the named recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited."
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Devel