PAM & several passwords
Balazs Scheidler
bazsi at balabit.hu
Tue Mar 13 06:05:29 EST 2001
> Is there any hope getting openssh to support a sequence
> of several authentication methods (requiring different
> passwords) for one login?
> I.e. take the standard static password, feed it into
> pam_unix.so for verification, then ask the user for yet
> another password (e.g. a one-time password) and verify
> this one by a different PAM module
> Currently, verifying either a static password or a one
> time password both work nicely, but knowing the
> weaknesses of both methods, I'd like to require both
> static _and_ one time password...
> Seems like quite a problem to get a message back to the
> user and obtain some additional input from him, but
> then, I'm not an ssh-expert, so I might be missing
> something obvious.
The SSH2 protocol has support for this in its authentication protocol:
2.2. Responses to Authentication Requests
If the server rejects the authentication request, it MUST respond with
byte SSH_MSG_USERAUTH_FAILURE
string authentications that can continue
boolean partial success
...
"Partial success" MUST be true if the authentication request to which
this is a response was successful. It MUST be false if the request was
not successfully processed.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
More information about the openssh-unix-dev
mailing list