Help using skey with ssh

pam at madsteer.com pam at madsteer.com
Fri Aug 13 22:00:48 UTC 2004


pam at madsteer.com wrote:
>> session    required     pam_stack.so service=system-auth
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>Check and see which modules are getting pulled in by these calls to
>pam_stack.so.  Look at /etc/pam.d/system-auth.
>
>Red Hat, RH-derived, and a number of other systems use this to allow easy
>changes to the authentication method(s) usable by ALL (or most) services.
>
>-kgd


Here's what it looks like:

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.s0


I'm assuming all the magic is happening in pam_unix.  A quick look at /usr/doc/pam-0.77/modules/README.pam_unix.gz shows the possible options as:

The following options are recognized:
	debug           -       log more debugging info
	audit           -       a little more extreme than debug
	use_first_pass  -       don't prompt the user for passwords
				take them from PAM_ items instead
	try_first_pass  -       don't prompt the user for the passwords
				unless PAM_(OLD)AUTHTOK is unset
	use_authtok     -       like try_first_pass, but * fail * if the new
				PAM_AUTHTOK has not been previously set.
				(intended for stacking password modules only)
	not_set_pass    -       don't set the PAM_ items with the passwords
				used by this module.
	shadow          -       try to maintian a shadow based system.
	md5             -       when a user changes their password next,
				encrypt it with the md5 algorithm.
	bigcrypt        -       when a user changes their password next,
				excrypt it with the DEC C2 - algorithm(0).
	nodelay         -       used to prevent failed authentication
				resulting in a delay of about 1 second.
	nis             -       use NIS RPC for setting new password
	remember=X      -       remember X old passwords, they are kept in
				/etc/security/opasswd in MD5 crypted form
	broken_shadow   -       ignore errors reading shadow information for
				users in the account management module

None of these options jump out as being much help.  I've seen web docs that talk about an skey pam modules but there all so old.  Furthermore I don't see them in /etc/pam.d and skey works (just not without getting a passwd prompt first).

Thanks,





More information about the Pam-list mailing list