patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
Nick Owen
nowen at wikidsystems.com
Thu Jun 30 16:08:22 CEST 2011
Greetings:
We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius. We found that PAM passed the AD
password to our OTP server, which failed. We have added a pam option
"always prompt" in the attached code. This will force a "WiKID
passcode:" prompt regardless of any previous password entry. This can
be changed, of course.
The /etc/pam.d/sshd file looks like:
Here's the /etc/pam.d/sshd:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
auth requisite /lib/security/pam_radius_auth.so always_prompt
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
No changes to system-auth were made. The /etc/ssh/sshd_config looks like:
Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
The key change is that ChallengeResponseAuthentication is yes.
Hopefully, others will find this of use.
Nick
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_radius_auth.c.patch
Type: text/x-patch
Size: 972 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110630/8befbf62/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_radius_auth.h.patch
Type: text/x-patch
Size: 786 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110630/8befbf62/attachment-0001.bin>
More information about the Freeradius-Users
mailing list