Bastian Tweddell wrote:
> On 17Jan23 17:33+0000, Howard Chu wrote:
>> Sounds more like a question for your SSH server, and whether you can
>> configure it to use PAM
>> after a successful pubkey authentication.
>
> Yes, PAM is enabled for sshd.
>
> I do not have the full picture how slap-totp works. For me, there two
> open questions:
>
> 1. From openldap pov:
> How would I make the bind call to slapd, so that only
> the TOTP is checked?
If you're talking about the totp module in the contrib source directory, all
you need
to do is a normal LDAP Simple Bind. LDAP modules for PAM would do this already.
> Would the following be sufficient to achieve 2FA only:
>
> ```ldif:
> userPassword: {TOTP512}$BASE64
> # assuming the overlay is confgured properly
> ```
Yes.
> Would it be possible to use another attribute than `userPassword`?
Not with the existing code, no.
>
> 2. PAM integration: This is not a question to this group here, but maybe
> there are some related ideas.
> How or which PAM module can be used?
nsspam-ldapd / nslcd, whatever the latest supported version is.
>
>
> The aim is to avoid copying the TOTP secret of users to the local
> systems (which are the public accessible hosts).
>
>
> Many thanks,
> Cheers,
> --
> Bastian Tweddell Juelich Supercomputing Centre
> phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
