PAM auth with SecurID and SSH keys

jdvail · 06-10-2009, 01:37 PM

I have a RHEL4 system using SecurID two-factor authentication via a PAM module. This works fine, but I need to allow some key-based authentication for some automated logins (scripts moving stuff around, etc). The SecurID module has the ability to except logins or groups from the two-factor authentication, but it only knows how to pass the process on to local password authentication. I'd like to avoid running another instance of sshd, if possible. Anyone got this type of setup working before?

acid_kewpie · 06-11-2009, 06:22 AM

Surely the existence of SSH keys in the system prevent the PAM calls in the first place? if you do an ssh -v you'll see that (if permitted to) it first offers relevant rsa / dsa keys to the server, and only if that fails does it then move on to password authentication, which is presumably when your SecurID token is passed to a back end.

jdvail · 06-12-2009, 07:39 AM

Um, nevermind. Upon closer inspection, it turns out that the vendor's install script that created the SSH keys didn't configure them properly. Once I fixed that, everything works fine.

D'oh! I guess that's a reminder to never assume the vendor did what they say they did without verifying it yourself.

Thanks

jvail