Re: [gdm-list] Two-Factors GDM login screen?

From: Jörg Barfurth <Joerg Barfurth Sun COM>
To: Alessandro Bottoni <alexbottoni yahoo it>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] Two-Factors GDM login screen?
Date: Thu, 18 Feb 2010 10:35:57 +0100

Alessandro Bottoni schrieb:

Hi All,
is it possible to have a two-factors login screen with GDM (without
hacking the code)?

I would like to have a login screen with the following fields
("connected" to some underlining PAM module):
1) Username/Face browsing
2) Static password
3) Dynamic (One-Time) password (generated by a OTP generator like some
type of RSA SecurID or some type of Aladdin eToken)

How do you configure GDM to get this result?

Two-factor authentication usually means that you have two differentauthentication mechanisms and must authenticate to both.

PAM handles this by stacking multiple authentication modules. As aresult the authentication is serialized. This would also apply to GDM:You first get prompted for one of the passwords (for the first module)and then the login screen changes to ask for the second password.

PAM is not made for asking for both passwords at once or for givingusers a choice of multiple authentication methods. Depending on platformthere may be a module that chooses the method(s) to apply (i.e. theeffective PAM stack) depending on the user name. Otherwise you'd need acustom PAM module that knows both methods and send a conversationrequest with two prompts in one request to the login application. (Buteven then the application, for example GDM, may choose to serialize theprompts).

AFAIK there is some work in planning to allow more flexible mixes ofauthentication methods and GDM screens to reflect that, but I don't knowwhat the status is of that.


> Which PAM module can be used to manage dynamic/OTP passwords?
>

This probably depends on the OTP token you are using and your platform.Maybe the vendor of your OTP token has one to go with theirimplementation. Maybe pam_opie or pam_radius work for you.


HTH

- Jörg

--
Joerg Barfurth
Software Engineer        mailto:joerg barfurth sun com
Desktop Technology
Thin Client Software     http://www.sun.com/software/sunray/
Sun Microsystems GmbH    http://www.sun.com/software/javadesktopsystem/

Sitz der Gesellschaft:
Sun Microsystems GmbH, Sonnenallee 1, D-85551 Kirchheim-Heimstetten
Amtsgericht Muenchen: HRB 161028
Geschaeftsfuehrer: Thomas Schroeder, Wolfgang Engels
Vorsitzender des Aufsichtsrates: Martin Haering

Follow-Ups:
- Re: [gdm-list] Two-Factors GDM login screen?
  - From: Alessandro Bottoni

References:
- [gdm-list] Two-Factors GDM login screen?
  - From: Alessandro Bottoni

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]