Dear all
I’m trying to set up privacyidea otp authentication in SSH login.
The problem is pam setting:
-
If I just paste below code in pam.d/sshd and mask include common-auth,
it will not work.
#@include common-auth
auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication -
If I use below setting in common-auth, it works, but it will also check
user password.
auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication
auth sufficient pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
- If I mask line two or exchange the order of line one and line two, it
will not work.
------------------------ not work ---------------------------------
auth sufficient pam_unix.so nullok_secure
auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication
------------------------ not work ---------------------------------
auth [success=1 default=ignore] pam_python.so
/lib/security/privacyidea_pam.py url=https://172.16.8.75
prompt=privacyIDEA_Authentication
auth sufficient pam_unix.so nullok_secure
------------------------ not work ---------------------------------
auth sufficient pam_python.so /lib/security/privacyidea_pam.py
url=https://172.16.8.75 prompt=privacyIDEA_Authentication
#auth sufficient pam_unix.so nullok_secure
Does anybody can tell me what is the correct setting if I only want to use
otp authentication. Not include password checking.
Harvey