Bug 336449

Summary:	sys-auth/pam_skey: impossible to make S/Key authentication mandatory
Product:	Gentoo Linux	Reporter:	Jan Sembera <fis>
Component:	[OLD] Core system	Assignee:	Ulrich Müller <ulm>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	pam-bugs+disabled
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	proposed patch

Description Jan Sembera 2010-09-08 15:02:52 UTC

In my environment, I'd like to use pam_skey as optional authentication measure that wouldn't replace the password, but would complement it. Ie. when the user sets the S/Key, he should be afterwards asked to provide the S/Key _and_ his password, without the possibility to just enter his password and circumvent S/Keys. On the other hand, when the user doesn't have S/Key set, he should be able to login with his password only.

Why PAM would generally allow this, with the current internals of pam_skey, this setup isn't possible. You simply cannot distinguish between "user has no S/key set" case (it returns IGNORE) and "user doesn't want to provide S/Key" (it returns IGNORE as well).

I'm attaching a patch that will add option require_skey to pam_skey. When this option is set, module will require the user to successfully authenticate using S/key, and will return IGNORE only in case the user didn't set up his key. If this option isn't provided, the behaviour of the module doesn't change.

Reproducible: Always

Comment 1 Jan Sembera 2010-09-08 15:04:13 UTC

Created attachment 246462 [details, diff]
proposed patch

Comment 2 Ulrich Müller gentoo-dev

2010-09-08 19:43:05 UTC

Thank you. This is a useful change.

I've included a slightly modified patch (only cosmetic changes) with pam_skey-1.1.5-r2. This version is still package.masked, and I would like to ask you if you could test it?

Comment 3 Jan Sembera 2010-09-09 08:50:10 UTC

It works as expected, thanks.

Comment 4 Ulrich Müller gentoo-dev

2010-09-09 12:12:29 UTC

Unmasked -r2. Thank you again.