Deterministic PAM-based authentication?
Ben Scott
dragonhawk at gmail.com
Mon Oct 3 16:33:00 EDT 2005
On 10/3/05, Paul Lussier <p.lussier at comcast.net> wrote:
> For example, I want to enforce the use of OTPs if ssh'ing to a system
> from outside our firewall, but allow the use of krb5 authentication if
> ssh'ing to the system from within our network.
Well, as I recall, PAM works by checking each module in sequence.
If a module marked "sufficient" succeeds, then authentication
immediately succeeds; if a module marked "required" fails, then
authentication immediately fails; if you make it to the end,
authentication succeeds.
So, if you have a module to check source IP address, you're there.
Make the OTP module "sufficient", and put it first. Make the Kerb and
and IP address modules "required". If the client has a OTP, they
won't need the IP address or the Kerb modules. If the client doesn't
have the OTP, they need both the IP address and the Kerb ticket.
It would appear to me that the part you need is the PAM module to do
checks based on IP addresses. A Google search for "PAM module IP
address" didn't immediately find such a module, but did find lots of
people talking about one. Maybe you can track that down to the
source.
Hope that helps,
-- Ben "If at first you don't succeed, keep on sucking until you do
succeed" Scott
More information about the gnhlug-discuss
mailing list