keyboard-interactive

[Bryan Chua]

Is there a way for a PAM module to force a client (and the server) to 
use kbd-interactive?  As far as I can tell, when in the INITIAL_LOGIN 
phase, all communication with the client returns a PAM_CONV_ERR.  I am 
trying to write a PAM module that will prompt a user for a second 
username and a second password in order for the module to succeed so 
that proper authentication relies on the ability to authenticate against 
n machines, where n < 1.

I looked at the pam_authsrv module, but that appears (I did not compile 
ad run) to use the supplied username, index against a mapfile, and then 
use the password supplied by the user to authenticate.  So it may not be 
using kbd-interactive at all, it may just be password.

Am I missing something?

-- bryan