PAM & several passwords

Balazs Scheidler bazsi at
Tue Mar 13 06:05:29 EST 2001

> Is there any hope getting openssh to support a sequence
> of several authentication methods (requiring different
> passwords) for one login?
> I.e. take the standard static password, feed it into
> for verification, then ask the user for yet
> another password (e.g. a one-time password) and verify
> this one by a different PAM module
> Currently, verifying either a static password or a one
> time password both work nicely, but knowing the
> weaknesses of both methods, I'd like to require both
> static _and_ one time password...
> Seems like quite a problem to get a message back to the
> user and obtain some additional input from him, but
> then, I'm not an ssh-expert, so I might be missing
> something obvious.

The SSH2 protocol has support for this in its authentication protocol:

2.2.  Responses to Authentication Requests

If the server rejects the authentication request, it MUST respond with

  string    authentications that can continue
  boolean   partial success

"Partial success" MUST be true if the authentication request to which
this is a response was successful.  It MUST be false if the request was
not successfully processed.

PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1

More information about the openssh-unix-dev mailing list