[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pam_oath: unable to use user_unknown
From: |
Mark Hills |
Subject: |
pam_oath: unable to use user_unknown |
Date: |
Tue, 2 Feb 2021 13:12:09 +0000 (GMT) |
I am using pam_oath over SSH, with the aim that logins are principally via
SSH key. If that is successful, there should be an OATH step for some
users.
So if a user doesn't have an entry in /etc/users.oath, they should pass
that step.
I've reduced /etc/pam.d/sshd to a single line for testing:
auth [success=done user_unknown=done default=die] pam_oath.so
usersfile=/etc/users.oath window=30 digits=6 debug
Where there is an entry in /etc/users.auth, the results are as expected.
But for users not listed, OATH prompt is still shown, and always fails.
The issue is compounded by a lack of debug information, despite the
"debug" flag to pam_auth. Where does this debug go?
I'm running "/usr/sbin/sshd -dd" and using "ssh -v" to login, but no debug
messages are seen at either console, or syslog.
I note pam_oath sends debug to stdout, is this the correct design or
should it be stderr?
The target system is Alpine Linux with its "openssh-server-pam"; linux-pam
1.3.1; oath-toolkit 2.6.2. The relevant SSH configuration is:
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
AuthenticationMethods publickey,keyboard-interactive
Thanks
--
Mark
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- pam_oath: unable to use user_unknown,
Mark Hills <=