patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes

Nick Owen nowen at wikidsystems.com
Thu Jun 30 16:08:22 CEST 2011 

Greetings:

We recently had a customer that wanted to check a password against AD
via kerberos and then an one-time passcode against a WiKID Strong
Authentication server via radius.  We found that PAM passed the AD
password to our OTP server, which failed.  We have added a pam option
"always prompt" in the attached code.  This will force a "WiKID
passcode:" prompt regardless of any previous password entry. This can
be changed, of course.

The /etc/pam.d/sshd file looks like:

Here's the /etc/pam.d/sshd:

#%PAM-1.0
auth       required     /lib/security/pam_krb5.so
auth       requisite     /lib/security/pam_radius_auth.so always_prompt
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

No changes to system-auth were made.  The /etc/ssh/sshd_config looks like:

Protocol 2
SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
UseDNS no
Subsystem       sftp    /usr/libexec/openssh/sftp-server

The key change is that ChallengeResponseAuthentication is yes.

Hopefully, others will find this of use.

Nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_radius_auth.c.patch
Type: text/x-patch
Size: 972 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110630/8befbf62/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_radius_auth.h.patch
Type: text/x-patch
Size: 786 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110630/8befbf62/attachment-0001.bin>

More information about the Freeradius-Users mailing list