[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-devel
Subject:    Re: Creating a two man login module
From:       Brian Candler <b.candler () pobox ! com>
Date:       2013-10-16 19:10:36
Message-ID: 525EE4AC.1000602 () pobox ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


On 16/10/2013 19:20, PEOPLES, MICHAEL P wrote:
> What I can't figure out is where do I code the prompts?  There are 
> suggestions that it is in one of the "getty" type processes, but I 
> cannot figure it.
You could try returning appropriate responses from the PAM "conversation 
function". In principle it ought to be able to engage in a 
challenge-response-challenge-response type of exchange. I don't have any 
sample code, but the pam_opie module might be a good starting point.

In practice, many clients of PAM (e.g. POP3 daemons) just collect a 
username and password and blindly squirt them at the conversation 
function, assuming that it will always be prompting for username and 
password respectively.

But if the login access method you are using supports this extended 
exchange, it *may* interact properly with PAM for it.

You are probably interested in console getty and/or ssh; and I think ssh 
v2 supports a "keyboard-interactive" exchange which I believe is a 
conversation.

If you are writing a custom PAM module, you can make it do whatever you 
like to validate the two passwords - two separate RADIUS queries for 
example.


[Attachment #5 (text/html)]

<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 16/10/2013 19:20, PEOPLES, MICHAEL P
      wrote:<br>
    </div>
    <blockquote
cite="mid:%3CB49D6855C20D22429FFD34954457A0141493EAF2@MISOUT7MSGUSR9F.ITServices.sbc.com%3E"
      type="cite"> <font color="#0000CC">What I can&#8217;t figure out is
        where do I code the prompts?&nbsp; There are suggestions that it is
        in one of the &#8220;getty&#8221; type processes, but I cannot figure it.</font><font
        face="Courier New" size="3"><span style="font-size:12pt;"> </span></font></blockquote>
    You could try returning appropriate responses from the PAM
    "conversation function". In principle it ought to be able to engage
    in a challenge-response-challenge-response type of exchange. I don't
    have any sample code, but the pam_opie module might be a good
    starting point.<br>
    <br>
    In practice, many clients of PAM (e.g. POP3 daemons) just collect a
    username and password and blindly squirt them at the conversation
    function, assuming that it will always be prompting for username and
    password respectively. <br>
    <br>
    But if the login access method you are using supports this extended
    exchange, it *may* interact properly with PAM for it.<br>
    <br>
    You are probably interested in console getty and/or ssh; and I think
    ssh v2 supports a "keyboard-interactive" exchange which I believe is
    a conversation.<br>
    <br>
    If you are writing a custom PAM module, you can make it do whatever
    you like to validate the two passwords - two separate RADIUS queries
    for example.<br>
    <br>
  </body>
</html>


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic