Ilkka Virta <[email protected]> writes: > Hi, > > pam_oath currently has the capability to read a static password in > addition to the OTP. The static part of the password is also saved > to PAM_AUTHTOK, and it could be used by another module in the PAM > stack, for example pam_unix.so try_first_pass. > > However, pam_oath also always checks the password against the one in > the usersfile, so getting pam_oath and pam_unix to authenticate > using a simple prompt is impossible.
Hello! Good point. Can you share a configuration which allows you to verify an OTP using pam_oath and the password using some other PAM module? I think people rightly have expressed unhappiness with putting passwords in a file like the usersfile. Possibly this example configuration should be in the README, and this method should be recommended instead of the current one. Did you notice any difference in the way the PAM user prompts behaved with a configuration like that? > I can't tell from the documentation what the semantics regarding this > are supposed to be, so I suggest changing the usersfile handling such > that if the saved password is '*' (a lone asterisk), the password > check is disabled, allowing the use of pam_unix to check the static > part of the password. The attached patch implements this. Thank you, applied. I used + instead of * for compatibility with mod-authn-otp. /Simon
