Hi,
pam_oath currently has the capability to read a static password in
addition to the OTP. The static part of the password is also saved
to PAM_AUTHTOK, and it could be used by another module in the PAM stack,
for example pam_unix.so try_first_pass.
However, pam_oath also always checks the password against the one in the
usersfile, so getting pam_oath and pam_unix to authenticate
using a simple prompt is impossible.
I can't tell from the documentation what the semantics regarding this
are supposed to be, so I suggest changing the usersfile handling such
that if the saved password is '*' (a lone asterisk), the password check
is disabled, allowing the use of pam_unix to check the static part of
the password. The attached patch implements this.
--- oath-toolkit/liboath/usersfile.c.orig 2012-11-19 16:39:47.000000000
+0200
+++ oath-toolkit/liboath/usersfile.c 2012-11-23 17:03:26.000000000 +0200
@@ -121,6 +121,10 @@
if (*passwd != '\0')
return OATH_BAD_PASSWORD;
}
+ else if (strcmp (p, "*") == 0)
+ {
+ /* Ignore password */
+ }
else if (strcmp (p, passwd) != 0)
return OATH_BAD_PASSWORD;
}
