In principle, as was alluded to above, one could set up PAM to try two different authentication sources, and allow the login if either of them succeeds. As other have said, though, this is highly nonstandard and it's not a very good idea from a security point of view since you want complete tracability and accountaqbility of exactly which human did what on the system. What woyuld be more interesting, IMO weould be an account that required both of two passwords to be entered to login. This might be useful in, e.g. a corporate financials system where the authorization of two directors is needed to confirm some transaction. I suspect there are commercial methods of doing this (much like existing two factor authentication systems for a single user) but I don't know exactly how offhand or if it's a capability that PAM can require without extra software.
|