pam_oath: unable to use user

oath-toolkit-help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pam_oath: unable to use user_unknown

From:	Mark Hills
Subject:	pam_oath: unable to use user_unknown
Date:	Tue, 2 Feb 2021 13:12:09 +0000 (GMT)

I am using pam_oath over SSH, with the aim that logins are principally via 
SSH key. If that is successful, there should be an OATH step for some 
users.

So if a user doesn't have an entry in /etc/users.oath, they should pass 
that step.

I've reduced /etc/pam.d/sshd to a single line for testing:

  auth [success=done user_unknown=done default=die] pam_oath.so 
usersfile=/etc/users.oath window=30 digits=6 debug

Where there is an entry in /etc/users.auth, the results are as expected.

But for users not listed, OATH prompt is still shown, and always fails.

The issue is compounded by a lack of debug information, despite the 
"debug" flag to pam_auth. Where does this debug go?

I'm running "/usr/sbin/sshd -dd" and using "ssh -v" to login, but no debug 
messages are seen at either console, or syslog.

I note pam_oath sends debug to stdout, is this the correct design or 
should it be stderr?

The target system is Alpine Linux with its "openssh-server-pam"; linux-pam 
1.3.1; oath-toolkit 2.6.2. The relevant SSH configuration is:

  PubkeyAuthentication yes
  PasswordAuthentication no
  ChallengeResponseAuthentication yes
  UsePAM yes
  AuthenticationMethods publickey,keyboard-interactive

Thanks

-- 
Mark

[Prev in Thread]

Current Thread

[Next in Thread]

pam_oath: unable to use user_unknown, Mark Hills <=

Prev by Date: oath-toolkit 2.6.6-2 MIGRATED to testing
Next by Date: Processing of oath-toolkit_2.6.6-3_source.changes
Previous by thread: oath-toolkit 2.6.6-2 MIGRATED to testing
Next by thread: Processing of oath-toolkit_2.6.6-3_source.changes
Index(es):
- Date
- Thread