Hi, I currently have a hard time trying to migrate from a working apache2/mod-authn-otp installation to nginx/pam_oath (running under Debian squeeze/unstable) in order to, e.g., access Roundcube using an OTP C200 Token. While it was easy to get the token to work with "su" using the following line in /etc/pam.d/su, ...
auth required pam_oath.so usersfile=.../login window=20 digits=6 debug ...the same line copied to /etc/pam.d/nginx wouldn't work as expected (I'm using http://github.com/rjenster/ngx_http_auth_pam_module, btw) Now, while I suspect that the problem lies on the "nginx->pam side", as you have to make sure, e.g., that nginx running as www-data/www-data has access to the shadow group, the resulting debug information in the nginx error log is not very helpful: 2011/07/02 13:23:56 [debug] 20246#0: *5 PAM: user 'ueberall' \ - not authenticated: Authentication failure Unfortunately, there also currently seems to be no way to redirect the pam_oath output (which would allow to check whether user/pass information is actually seen by pam_oath); the rsyslog log only shows the following (which is as helpful as the single line above): Jul 2 13:02:16 vserver13 su[25141]: pam_authenticate: Authentication failure Jul 2 13:02:16 vserver13 su[25141]: FAILED su for root by root Jul 2 13:02:16 vserver13 su[25141]: - /dev/pts/2 root:root There are currently no entries mentioning nginx (which leads to my previous assumption), but while I guess that I will have to ask nginx related questions elsewhere ;) -- what options are there to make sure that every single line the "debug" argument of pam_oath produces can be captured in a log file regardless of the application-specific use of the standard (error) input/output handles? Ad astra, Markus
