On 17Jan23 17:33+0000, Howard Chu wrote: > Sounds more like a question for your SSH server, and whether you can > configure it to use PAM > after a successful pubkey authentication.
Yes, PAM is enabled for sshd.
I do not have the full picture how slap-totp works. For me, there two
open questions:
1. From openldap pov:
How would I make the bind call to slapd, so that only
the TOTP is checked?
Would the following be sufficient to achieve 2FA only:
```ldif:
userPassword: {TOTP512}$BASE64
# assuming the overlay is confgured properly
```
Would it be possible to use another attribute than `userPassword`?
2. PAM integration: This is not a question to this group here, but maybe
there are some related ideas.
How or which PAM module can be used?
The aim is to avoid copying the TOTP secret of users to the local
systems (which are the public accessible hosts).
Many thanks,
Cheers,
--
Bastian Tweddell Juelich Supercomputing Centre
phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
smime.p7s
Description: S/MIME cryptographic signature
