Home / server / Questions / 444922
Accepted
Ryan Ries
Asked: 2012-11-03 12:30:18 +0800 CST

Can I use both the RSA 2-Factor PAM and an Active Directory PAM at the same time?

  • 772

Let's use the product formerly known as Likewise as an example. I can very easily install this on a Linux machine and join it to an Active Directory domain.

I can also use an RSA PAM module so that users are forced to authenticate with a 2-factor hardware token PIN and passcode, using a username that is known to the RSA authenticating server.

Can I use these two together? In other words, I guess what I'm asking is can I use two PAM modules at the same time? (I'm not a Linux guy so take it easy on me please.)

linux

1 Answers

  1. Best Answer

    With Linux PAM you can chain authentication modules. Just set all the necessary PAM-module you want to be checked to required in the appropriate configuration file.

    From the documentation:

    When a server invokes one of the six PAM primitives, PAM retrieves the chain for the facility the primitive belongs to, and invokes each of the modules listed in the chain, in the order they are listed, until it reaches the end, or determines that no further processing is necessary (either because a binding or sufficient module succeeded, or because a requisite module failed.) The request is granted if and only if at least one module was invoked, and all non-optional modules succeeded.

    So if all authentication methodes must be successful, use requisite. However, if the first of two auth-methodes fails, it will terminate immediately.

    If you want to hide the fact that some certain auth-methode failed, use required. Even if one module fails, it will continue to check other methodes, just to fail at the end.

    If you only need one of those methodes to succeed (means: many may fail, only one successful auth is sufficient), use sufficient.

    Refer to Pam Chain Policies for more details.

    • 3