Creating a two man login module
b.candler at pobox.com
Wed Oct 16 21:10:36 CEST 2013
On 16/10/2013 19:20, PEOPLES, MICHAEL P wrote:
> What I can't figure out is where do I code the prompts? There are
> suggestions that it is in one of the "getty" type processes, but I
> cannot figure it.
You could try returning appropriate responses from the PAM "conversation
function". In principle it ought to be able to engage in a
challenge-response-challenge-response type of exchange. I don't have any
sample code, but the pam_opie module might be a good starting point.
In practice, many clients of PAM (e.g. POP3 daemons) just collect a
username and password and blindly squirt them at the conversation
function, assuming that it will always be prompting for username and
But if the login access method you are using supports this extended
exchange, it *may* interact properly with PAM for it.
You are probably interested in console getty and/or ssh; and I think ssh
v2 supports a "keyboard-interactive" exchange which I believe is a
If you are writing a custom PAM module, you can make it do whatever you
like to validate the two passwords - two separate RADIUS queries for
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Devel