I am using pam_oath over SSH, with the aim that logins are principally via SSH key. If that is successful, there should be an OATH step for some users.
So if a user doesn't have an entry in /etc/users.oath, they should pass that step. I've reduced /etc/pam.d/sshd to a single line for testing: auth [success=done user_unknown=done default=die] pam_oath.so usersfile=/etc/users.oath window=30 digits=6 debug Where there is an entry in /etc/users.auth, the results are as expected. But for users not listed, OATH prompt is still shown, and always fails. The issue is compounded by a lack of debug information, despite the "debug" flag to pam_auth. Where does this debug go? I'm running "/usr/sbin/sshd -dd" and using "ssh -v" to login, but no debug messages are seen at either console, or syslog. I note pam_oath sends debug to stdout, is this the correct design or should it be stderr? The target system is Alpine Linux with its "openssh-server-pam"; linux-pam 1.3.1; oath-toolkit 2.6.2. The relevant SSH configuration is: PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive Thanks -- Mark
