Mint 19.1 64 bit, current updates
---------------------------------
Hi all,
my aim is to use a Feitian OTP generator (e.g. the c200) or alike to
have a 2FA on my linux system for a specific list of users. In order to
check, if that is possible, I wanted to start with just a single user
(=> "sophia"), and having the numbers be generated locally (i.e. before
buying the hardware generator)
---
I set up the oath toolkit and the pam_auth module as described in your
readme with a
cat /etc/users.oath
-------------------
# Option user prefix seed
HOTP/T30/6 sophia - c6b4e2abb426a588e6f038dbf39dd6
-------------------
and a line of
----------
auth required pam_oath.so usersfile=/etc/users.oath
window=10 digits=6
----------
just in "/etc/pam.d/su" right after the line with the pam_rootok.so (I
also tried in common-auth before the "default" block, as described
within there),
Then I tried a
su - sophia
and as expected, I got a
One-time password (OATH) for `sophia':
line and after entering the correct number (retrieved by oathtool
--totp), I was asked to enter the password of that user.
So far, so good, as this was exactly what I expected and what I wanted.
[and the line in users.oath was updated correctly]
---
However, then I tried "su - ", "su - root", or "su - otheruser", and
found that an OTP was also asked for those users.
Is this the intended behaviour or a bug? And what do I have to do to
have only an OTP-2FA for the users listed in the users.oath file?
---
With kind regards,
Thomas
