On 19.5. 13:25, Simon Josefsson wrote:
Patrick Proniewski <[email protected]> writes:
Is it possible to authenticate on a server through pam_ldap (non-local
users) with the added security of pam_oath?
It depends.
You could do it the same way as with pam_unix:
/etc/pam.d/common-auth:
auth required pam_unix.so nullok_secure
auth required pam_oath.so debug usersfile=/etc/users.oath
window=3
plink:~$ ssh cartman@localhost " echo OK! "
Password:
One-time password (OATH) for `cartman':
OK!
(and set ChallengeResponseAuthentication yes and UsePAM yes in sshd_config)
That should work with pam_ldap too, but the major downside is that you
need to have the usersfile locally and the keys cannot be shared between
machines. Another feature of that configuration is that since the
authentication steps are totally separate, the OTP counter will advance
whenever the OTP is correct, even if the static password is invalid.
If you want to have the OTP keys centralized in LDAP, then I don't know
if there is anything ready-made for that.
No, not to my knowledge. A lot of PAM
modules include LDAP support natively to adress this use-case.
Hmm, what modules are there that do it?
--
Ilkka Virta <[email protected]>
