Multiple authentication methods at the same time?
Alexander Clouter
alex at digriz.org.uk
Thu Feb 17 00:02:31 CET 2011
Thomas A. Fine <fine at head.cfa.harvard.edu> wrote:
>
> I thought this would be easy but now I'm wondering if it will be
> possible at all. We are transitioning to a DMZ for all ssh logins.
> During phase one, people will use a standard (but different than
> internal) password which will be obtained either through LDAP or
> the passwd module (we just haven't picked one yet, either should
> be fine).
>
Why? Just use public-key auth.
Slap all your keys in LDAP, my fuse program caches keys incase your LDAP
servers go walkies:
http://www.digriz.org.uk/lpkfuse
It's 2011, stop using password auth for SSH. :)
> But eventually the DMZ ssh will need to be OTP. So I wanted to
> be able to offer OTP as an option during transition for people to
> try out and get used to while still being able to use their other
> traditional password.
>
This sort of thing I probably would solve with PAM. Put in your
/etc/pam.d/sshd file something like:
----
auth sufficient pam_radius_auth.so
auth required pam_opie.so
----
SSH will try public-key, then fall onto password auth with RADIUS, then
fall onto OTP's (via OPIE). You could replace pam_opie.so with another
pam_radius_auth.so instance but pass 'conf=/etc/alt-config'.
> So fallback in the case of one method (e.g. LDAP) being unavailable
> is pretty easy. But in this case both methods would be available,
> and I'd want to test the password against both methods.
>
For OTP to work, the user needs to be presented with a challenge, so get
them to send a blank password (use unlang in authorize to catch this),
then a challenge is returned and the auth becomes OTP (even if the
challege is "Reply-Message := What does your fob say?".
> Is this even possible? It seems like once it has found a working
> module in authorize, it can only use that one module in authenticate.
>
> What's the solution?
>
Use PAM, it could be done with RADIUS, but for SSH you really need to
join the rest of us here in 2011 :P
Cheers
--
Alexander Clouter
.sigmonster says: You will be winged by an anti-aircraft battery.
More information about the Freeradius-Users
mailing list