0
I am testing two-factor-authentication for ssh logins on some CentOS containers in our testing environment.
I compiled my own rpms from github's source, installed and configured everything and have the default setup up and running. I get prompted for the token first and for the user's password afterwards.
What I am trying to do now is changing the order of the two factors. I have a requirement to ask for password first and for the token last, but I haven't been able to configure this.
This is what /etc/pam.d/sshd
looks like after the installation:
#%PAM-1.0
auth required pam_google_authenticator.so nullokt
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
I have tried to move around the parameters of the first section with no luck. For example, if I move the google_authenticator line to the bottom of the firat section, only password authentication is enabled.
Edit:
I have read PAM's documentation, but I cannot achieve this. I have tried to bundle google-authenticator with /etc/pam.d/password-auth, but nothing changed. It is either token first and password second or password only.
The
password-auth
file has more thing about change password, I doesn't have to change the password(or I will change the password by root and use strong password). – schemacs – 2014-10-13T13:10:23.613