Multiple authentication methods at the same time?

Gary Gatten Ggatten at waddell.com
Wed Feb 16 23:36:59 CET 2011


Hi,

I thought this would be easy but now I'm wondering if it will be
possible at all.  We are transitioning to a DMZ for all ssh logins.
During phase one, people will use a standard (but different than
internal) password which will be obtained either through LDAP or
the passwd module (we just haven't picked one yet, either should
be fine).

But eventually the DMZ ssh will need to be OTP.  So I wanted to
be able to offer OTP as an option during transition for people to
try out and get used to while still being able to use their other
traditional password.

So fallback in the case of one method (e.g. LDAP) being unavailable
is pretty easy.  But in this case both methods would be available,
and I'd want to test the password against both methods.

Is this even possible?  It seems like once it has found a working
module in authorize, it can only use that one module in authenticate.

What's the solution?


I don't understand the question 100%.  If you want different users to test different methods (LDAP, OTP, etc.) - that's fairly easy.  If you want a given user "Bob" to test different methods concurrently, that sounds tricky - and I'm not sure what you wish to accomplish with that...  You MAY be able to do something with "Fallthrough" and "Post Auth" - but again, I'm not exactly sure what you're trying to accomplish...

G






<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>





More information about the Freeradius-Users mailing list