#11828: Look into using one-time-passwords as secondary authentication method for baron -------------------------+---------------------------- Reporter: zooey | Owner: haiku-sysadmin Type: task | Status: new Priority: normal | Milestone: Component: Sys-Admin | Version: Resolution: | Keywords: Blocked By: | Blocking: Has a Patch: 0 | Platform: All -------------------------+---------------------------- Comment (by Centinel): OK, I think I've got OTP + sudo figured out. By default, sudo in OpenSUSE requires you to enter the root user's password. I used visudo and commented out these two directives in order to restore traditional sudo behavior, where the user has to enter his own password: {{{ # Defaults targetpw # ask for the password of the target user i.e. root # ALL ALL=(ALL) ALL # WARNING! Only use this together with the 'Defaults targetpw'! }}} If I didn't do that, then PAM would expect you to enter an OTP based on the root user's account. Next, I had to change the /etc/security/access-local.conf file that PAM references when determining whether or not to require an OTP. Here's what it originally said: {{{ + : ALL : LOCAL - : (otpusers) : ALL + : ALL : ALL }}} The first line indicates that "local" users (for our purposes, everyone who is signed in over SSH) are not bound by OTP. That's why it didn't work when jprostko attempted to transplant my sshd PAM stack directives into the sudo PAM stack - you were already signed in, so it triggered the local user exemption. The second line requires OTP for accounts in the otpusers group. I deleted the local user exemption: {{{ - : (otpusers) : ALL + : ALL : ALL }}} Now, 'otpusers' accounts are immediately bound by OTP, regardless of where they're logged in, and everyone else is exempt. Nice and simple. Here's my sudo PAM stack: {{{ auth [success=1 default=ignore] pam_access.so accessfile=/etc/security /access-local.conf auth requisite pam_oath.so usersfile=/etc/users.oath window=30 auth include common-auth account include common-account password include common-password session include common-sessio }}} If you're not bound by OTP, you skip the second line; otherwise, you have to enter an OTP. I'll let jprostko verify this, but everything seems to be in order. -- Ticket URL: <https://dev.haiku-os.org/ticket/11828#comment:21> Haiku <https://dev.haiku-os.org> Haiku - the operating system.