In my environment, I'd like to use pam_skey as optional authentication measure that wouldn't replace the password, but would complement it. Ie. when the user sets the S/Key, he should be afterwards asked to provide the S/Key _and_ his password, without the possibility to just enter his password and circumvent S/Keys. On the other hand, when the user doesn't have S/Key set, he should be able to login with his password only. Why PAM would generally allow this, with the current internals of pam_skey, this setup isn't possible. You simply cannot distinguish between "user has no S/key set" case (it returns IGNORE) and "user doesn't want to provide S/Key" (it returns IGNORE as well). I'm attaching a patch that will add option require_skey to pam_skey. When this option is set, module will require the user to successfully authenticate using S/key, and will return IGNORE only in case the user didn't set up his key. If this option isn't provided, the behaviour of the module doesn't change. Reproducible: Always
Created attachment 246462 [details, diff] proposed patch
Thank you. This is a useful change. I've included a slightly modified patch (only cosmetic changes) with pam_skey-1.1.5-r2. This version is still package.masked, and I would like to ask you if you could test it?
It works as expected, thanks.
Unmasked -r2. Thank you again.
