On Wednesday 27 January 2010 02:34:56 walt wrote: > After thinking awhile I realized that pam can be used to > combine muliple forms of authentication to reduce the well > documented risk of single-factor authentication (like our > traditional password system). > > Example: if I have an ordinary password, plus an ssh key > stored on a USB stick, plus a biometric device like an > eye scanner or a fingerprint scanner, I can then use any > or all of those methods to identify myself to the system > by configuring pam in the appropriate way. > > Any sysadmins out there that can confirm my reasoning? >
This is not merely a nice thing you can use pam to do. It is the entirely reason for pam's existence and it was written to do nothing else. If all you need auth to do is validate a username/password you might as well stick with login pam is Pluggable Authentication Modules, meaning you use the modules you want to create the scheme you want. -- alan dot mckinnon at gmail dot com
