Multifactor authentication troubles
James Murphy
james.murphy.debian at gmail.com
Sat Jul 23 05:50:22 AEST 2016
I'm writing a PAM module to do authentication through Signal (as in Open
Whisper Systems) [1]. I would like to be able to offer
(Public key AND Signal) or (Password AND Signal)
for authentication. This suggests setting AuthenticationMethods to
publickey,keyboard-interactive:pam password,keyboard-interactive:pam
However, when PAM is enabled "password" means "show password prompt,
then do PAM", which is a problem because my PAM does Signal auth, not
password auth, and the above results in all login attempts failing.
Clearly sshd knows how to do password auth without PAM because it works
even when PAM is disabled, so I wonder if there is some way to request
that "password" does not use PAM even when PAM is enabled? Ideally one
could specify something like
password:nopam
password:builtin
Or another solution would be to allow multiple different PAM modules to
be called instead of requiring it all to be lumped into /etc/pam.d/sshd.
Then one could specify something like
PAMFiles /etc/pam.d/sshd*
AuthenticationMethods
keyboard-interactive:pam:sshd-pass,keyboard-interactive:pam:sshd-signal
Does this kind of functionality already exist, and if not would it be
feasible to implement?
Thank you for your help,
James Murphy
[1] https://github.com/kb100/signal-authenticator
More information about the openssh-unix-dev
mailing list