[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Why OpenSSH's UsePAM only works with password or challenge/response?
I'm not sure it's the right list to send this. Please redirect me if
In the sshd_config(5) manpage, one can find:
% UsePAM Enables the Pluggable Authentication Module interface. If set to
% ``yes'' this will enable PAM authentication using
% ChallengeResponseAuthentication and PasswordAuthentication in
% addition to PAM account and session module processing for all
% authentication types.
% Because PAM challenge-response authentication usually serves an
% equivalent role to password authentication, you should disable
% either PasswordAuthentication or ChallengeResponseAuthentication.
I don't understand the logic of this. I mean, I see PAM
authentification as a method in itself. I don't understand why it needs
either ChallengeResponseAuthentication or PasswordAuthentication.
I think I miss something, a clarification would be welcome.
For instance, I've tried the following configuration in pam.d/sshd with
% auth required pam_nologin.so no_warn
% auth required pam_skey.so
% PasswordAuthentication no
% ChallengeResponseAuthentication yes
% UsePam yes
And I get the following prompt:
% jarjarbinks:tataz$ ssh ...
% Password [ otp-md5 98 pwnd1234 ]: <- pam_skey
% otp-md5 98 pwnd1234
% S/Key Password: <- OpenSSH
If I disable ChallengeResponseAuthentication, PAM isn't used anymore as
stated in the manpage. Why? How can I get only pam_skey's prompt,
without password authentication disabled?
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
Main Index |
Thread Index |