Looking for Special Challenge-Response Auth PAM Module, or Similar

Brian Candler b.candler at pobox.com
Wed Aug 24 17:30:30 AEST 2022

On 23/08/2022 22:42, Jochen Bern wrote:
> On 23.08.22 16:56, Brian Candler wrote:
>> You mean something like SCRAM implemented as a PAM module?
> Looks promising from the algorithm POV ... !
>> It might be possible to use pam_sasl [...] together with a SASL 
>> challenge-
>> response auth method [...] like SCRAM.
> cyrus-sasl-scram seems to be available from standard OS repos, 
> pam_exec comes with the default PAM installation. pam_sasl (or a SASL 
> client to use with pam_exec, I don't see testsaslauthd allowing for 
> presenting and processing a challenge first) I'll have to look into ...
If this is just to protect a single account, say an "engineer" login, 
you could just make the user's login shell be a small program which does 
the challenge/response, and then execs the real shell if successful.

I rather like the QR code idea given by someone else:

* generate a small random value (e.g. 6-digit PIN)
* encrypt it with public key
* show the encrypted value as a QR code
* user decrypts it and types in the decrypted value
* permit login if they match

No secret information needs to be stored on the target system at all, 
and they can all be identical.

More information about the openssh-unix-dev mailing list