Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 03-16-2010, 02:13 AM   #1
Akdor 1154
LQ Newbie
Registered: Mar 2008
Distribution: Xubuntu, Sidux, Debian
Posts: 10

Rep: Reputation: 0
Unhappy Use different PAM modules depending on local/remote access


I'm using a fingerprint reader on my laptop, works pretty well:
$sudo echo hi
Please swipe your finger:
[swipe finger here of course]

This is accomplished using pam_fprint, and
auth    sufficient            
in /etc/pam.d/auth-common.

Like I said, it works nicely... until I try to SSH in and sudo something remotely, when it will ask me kindly to swipe my finger over the reader that's attached to the laptop which is on my desk at home thirty kilometres away. Naturally there's no method built into pam_fprint to abort via a keypress.

So, is there any way to tell PAM to only use certain modules if I'm in a locally logged in session?

Thanks kindly,
Old 03-16-2010, 03:41 AM   #2
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Create a copy of auth-common under another name, without the line and use it instead of auth-common in your /etc/pam.d/sshd file.

Another option would be to use pubkey authentication instead. Look at the commented instructions in the /etc/ssh/sshd_config file above the "UsePAM yes" line.
Old 03-16-2010, 04:13 AM   #3
Akdor 1154
LQ Newbie
Registered: Mar 2008
Distribution: Xubuntu, Sidux, Debian
Posts: 10

Original Poster
Rep: Reputation: 0
No, pam_fprint is already hard coded to pass if it's being used by sshd, so I can log in. The problem comes about when I'm trying to su or sudo INSIDE an ssh session, as these don't (and shouldn't) check whether they're being used remotely or locally; they just go with whatever PAM tells them to as far as I can see.

Thanks for the reply though, it was a good thought.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot access `/usr/local/apache2/modules/' gravesb Linux - Software 13 12-02-2011 03:56 AM
How to mount NFS/local partitions on RedHat cluster depending on node type? Myroslav Linux - Enterprise 0 01-05-2010 01:12 PM
Help with PAM and PAM modules bourne Linux - Security 6 11-03-2008 12:48 AM
iptables: local proFTPd server and remote FTP servers access jordib Linux - Networking 2 05-04-2008 03:46 PM
[SOLVED] Disable remote root access but allow local root access-- possible? bskrakes Linux - Security 3 03-03-2008 01:15 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:42 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration