[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OATH-Toolkit-help] totp pam and try_first_pass or use_first_pass
From: |
Simon Josefsson |
Subject: |
Re: [OATH-Toolkit-help] totp pam and try_first_pass or use_first_pass |
Date: |
Mon, 30 May 2011 11:32:37 +0200 |
User-agent: |
Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux) |
Jens Czyborra <address@hidden> writes:
> Example:
>
> in /etc/pam.d/sudo:
>
> auth required pam_unix.so
> auth sufficient pam_oath.so usersfile=/etc/users.oath
> digits=6 try_first_pass debug
>
> By testing the login by the unix pass everything works well.
>
> By testing with the otp (xyzabc_ is the password and 123456 is the otp) i get:
Hi Jens! Welcome to the list.
Try reversing the order of password and PIN -- i.e., type
'123456xyzabc_' instead of 'xyzabc_123456'. If it is important for you
to type the password first and the PIN next, it should be possible to
add a flag for the PAM module to modify this behaviour.
/Simon
> ~]$ sudo su
> Passwort:
> [pam_oath.c:parse_cfg(118)] called.
> [pam_oath.c:parse_cfg(119)] flags 32768 argc 4
> [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath
> [pam_oath.c:parse_cfg(121)] argv[1]=digits=6
> [pam_oath.c:parse_cfg(121)] argv[2]=use_first_pass
> [pam_oath.c:parse_cfg(121)] argv[3]=debug
> [pam_oath.c:parse_cfg(122)] debug=1
> [pam_oath.c:parse_cfg(123)] alwaysok=0
> [pam_oath.c:parse_cfg(124)] try_first_pass=0
> [pam_oath.c:parse_cfg(125)] use_first_pass=1
> [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
> [pam_oath.c:parse_cfg(127)] digits=6
> [pam_oath.c:parse_cfg(128)] window=5
> [pam_oath.c:pam_sm_authenticate(157)] get user returned: jens
> [pam_oath.c:pam_sm_authenticate(168)] get password returned: xyzabc_123456
> [pam_oath.c:pam_sm_authenticate(274)] Password: xyzabc_
> [pam_oath.c:pam_sm_authenticate(292)] OTP:
> [pam_oath.c:pam_sm_authenticate(305)] authenticate rc -2
> (OATH_INVALID_DIGITS:
> Unsupported number of OTP digits) last otp Mon May 30 01:00:38 2011
>
> [pam_oath.c:pam_sm_authenticate(311)] One-time password not authorized to
> login as user 'jens'
> [pam_oath.c:pam_sm_authenticate(327)] done. [Fehler bei Authentifizierung]
> Sorry, try again.
> Passwort:
>
>
> the same with use_first_pass
>
> withou both try_first_pass and use_first_pass it works but i'm asked first
> for
> the unix pass and second for the otp if unix fails
>
> ???????