Changes between Initial Version and Version 1 of Ticket #11828, comment 20
- Timestamp:
- Feb 13, 2015, 8:16:04 PM (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #11828, comment 20
initial v1 13 13 The third line now fails authentication if the OTP is entered incorrectly or succeeds and exits the PAM stack if the OTP is entered correctly. As a result, everything after the third line becomes dead code, but that's okay since it has to do with password-based authentication. 14 14 15 In my and jprostko's initial testing, everything works properly. I think we've finally nailed this. Due to prior commitments, I won't be able to resume work on this until early next week, but jprostko may finish thisoff in the mean time.15 In my and jprostko's initial testing, everything works properly. I think we've finally nailed this. Due to prior commitments, I won't be able to resume work until early next week, but jprostko may finish it off in the mean time. 16 16 17 17 I'm not a security expert, but I would tend to think that OTP would be more appropriate for logins. After all, it's best to keep people from getting in to begin with. However, I can see why you'd opt for sudo OTP as a convenience compromise. … … 31 31 32 32 {{{ 33 '''auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf34 auth requisite pam_oath.so usersfile=/etc/users.oath window=30 '''33 auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf 34 auth requisite pam_oath.so usersfile=/etc/users.oath window=30 35 35 auth include common-auth 36 36 account include common-account … … 43 43 The second line prompts for an OTP. If it isn't entered correctly, authentication fails. If it's entered successfully, go to line three and proceed as usual. 44 44 45 The rest of the lines are carried over from the existing PAM file. 46 45 47 And that's all it should take. Feel free to start from there if you've got time, jprostko.
