Goal: I want to configure pam to use regular user password (pam_unix.so) and extra password. (with success only when I type both passwords correctly and deny (pam_deny.so) in case I type only one password or no passwords correctly). How I can achieve that? (I don't want to use GA or third-party method, I know about them, but I still need second password, please don't tell me about them). Also, I want to know how to add second field, or achieve another type for second password in lightdm and gnome-screensaver in the same field. I walk-though all pam plugins on github, maybe I can modify or configure pam-dotfile somehow to achieve that.
1 Answer
Edit: As stated by @grawity, compliant application can handle such authentication scheme gracefully. Graphical issues are avoided by asking the two passwords in two successive steps (not the three fields "login / pass1 / pass2" as I encountered in a specific application using RSA SecureID, but the usual login/password screen followed by a second password screen after the first input)
As far PAM is concerned all is about:
- Installing or creating the appropriate PAM module which will handle the second password (with a little chance the RFID provider may already provide one, or if it standard enough on may already exist somewhere else),
- Configuring PAM to accept multi-factor authentication, usually by adding a second "auth required new_module_name_here.so", but this depends largely on the Linux distribution being used. Some research about "pam multi-factor " may prove usefull. PAM configuration allows a lot of subtleties, like the order of passwords to be requested, if the second one should be requested only when the first one is valid or always, etc.
- Configure your application appropriately if needed, but depending on your needs and the existing you may be lucky and it would work out of the box.
Original post: Instead of wanting to update the UI from the shell login, lightdm login and screensaver login (ie. create a fork of all these you will have to maintain over time), maybe the better choice would be to merge you two password in one (for instance define as your own policy that you will have to type each passwords separated by a dash: "password1-password2"), and then create your own specific PAM module to authenticate this.
By this mean you will remain compatible with all currently existing application.
-
1Properly written UI doesn't require modification – multiple prompts are already a regular part of PAM. Commented Mar 31, 2015 at 10:45
-
@grawity Thanks for the information, I thought that the password input was handled by the graphical UI, then the credential transmitted to PAM to be authenticated. I look further for your more complete answer on how to configure PAM as requested in the original question so all complying graphical interfaces add "automagically" a second password field to their screen :) ! Commented Mar 31, 2015 at 12:45
-
1Well, yes, it is handled by the graphical UI, but usually in response to PAM prompts. So when PAM accepts one input but shows a second prompt, it should work automatically; I think I've seen that happen in gdm and lightdm. Commented Mar 31, 2015 at 14:59
-
Thanks your helpful comments, I've edited my post accordingly :) Commented Mar 31, 2015 at 16:56