[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-devel
Subject: Re: Creating a two man login module
From: Brian Candler <b.candler () pobox ! com>
Date: 2013-10-16 19:10:36
Message-ID: 525EE4AC.1000602 () pobox ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 16/10/2013 19:20, PEOPLES, MICHAEL P wrote:
> What I can't figure out is where do I code the prompts? There are
> suggestions that it is in one of the "getty" type processes, but I
> cannot figure it.
You could try returning appropriate responses from the PAM "conversation
function". In principle it ought to be able to engage in a
challenge-response-challenge-response type of exchange. I don't have any
sample code, but the pam_opie module might be a good starting point.
In practice, many clients of PAM (e.g. POP3 daemons) just collect a
username and password and blindly squirt them at the conversation
function, assuming that it will always be prompting for username and
password respectively.
But if the login access method you are using supports this extended
exchange, it *may* interact properly with PAM for it.
You are probably interested in console getty and/or ssh; and I think ssh
v2 supports a "keyboard-interactive" exchange which I believe is a
conversation.
If you are writing a custom PAM module, you can make it do whatever you
like to validate the two passwords - two separate RADIUS queries for
example.
[Attachment #5 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 16/10/2013 19:20, PEOPLES, MICHAEL P
wrote:<br>
</div>
<blockquote
cite="mid:%3CB49D6855C20D22429FFD34954457A0141493EAF2@MISOUT7MSGUSR9F.ITServices.sbc.com%3E"
type="cite"> <font color="#0000CC">What I can’t figure out is
where do I code the prompts? There are suggestions that it is
in one of the “getty” type processes, but I cannot figure it.</font><font
face="Courier New" size="3"><span style="font-size:12pt;"> </span></font></blockquote>
You could try returning appropriate responses from the PAM
"conversation function". In principle it ought to be able to engage
in a challenge-response-challenge-response type of exchange. I don't
have any sample code, but the pam_opie module might be a good
starting point.<br>
<br>
In practice, many clients of PAM (e.g. POP3 daemons) just collect a
username and password and blindly squirt them at the conversation
function, assuming that it will always be prompting for username and
password respectively. <br>
<br>
But if the login access method you are using supports this extended
exchange, it *may* interact properly with PAM for it.<br>
<br>
You are probably interested in console getty and/or ssh; and I think
ssh v2 supports a "keyboard-interactive" exchange which I believe is
a conversation.<br>
<br>
If you are writing a custom PAM module, you can make it do whatever
you like to validate the two passwords - two separate RADIUS queries
for example.<br>
<br>
</body>
</html>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic