multiple auth methods in pam.d/sshd?
Hello!
Im trying to get PAM to allow for multiple methods of authentication. I want to have an RSA SecurID PAM module authenticate one group of users, Active Directory to authenticate a second, separate group of users, and finally, a local /etc/passwd to authenticate a third group of users. One of these groups has SecurID tokens and Active Directory accounts. This group should only be able to log in to the Linux server with their SecurID token and not their Active Directory credentials. The other groups should have only the Active Directory authentication requested.
I've tried stacking PAM modules in different orders and different controls, and I've worked on the system-auth-ac file to try and deny the Active Directory to those users by using pam_listfile in the system-auth-ac file. None of the variations have brought any joy.
I'm racking my brains on this one - seems there should be some way to wrangle a particular authentication method for any arbitrary group, but the answer eludes me.
Has anyone tried something this involved recently?
Thanks for any tips or guidance on this!
Gregg
|