pam_unix and UsePAM

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
In OpenSSH, I'd like to require users to use public-key authentication
AND to enter their local password. I've tried to configure PAM to do
this with "auth require pam_unix" in pam.d/sshd, but it stills
authenticates users without their password. How can I do this?


Re: pam_unix and UsePAM

Quoted text here. Click to load it

You can't. PAM can't provide SSH public-key authentication, OpenSSH only
uses PAM for password and keyboard-interactive authentication, and
OpenSSH will only use one authentication method for a given session.
The first two aren't likely to change, but the last one could. Of course
with keyboard-interactive + PAM you could in principle implement some
combination of password and "non-SSH-protocol" public-key authentication
yourself (this would entail at least writing a) a PAM module and b) a
client-side tool that used the private key to sign a random string - the
challenge given by the PAM module).

--Per Hedeland

Re: pam_unix and UsePAM

Quoted text here. Click to load it

With the stock OpenSSH, you can't.  There's an enhancement request[1]
that would allow you to do it by compiling in PAM support, setting
UsePAM=yes and setting RequiredAuthentications to require both
Password and Publickey.

There's a patch too but I'm not sure if it will apply to current versions
of OpenSSH.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline