pam_otp_auth - PAM authentication
The pam_otp_auth module implements pam_sm_authenticate(), which provides functionality to the PAM authentication stack. It effectuates a stronger authentication system by implementing one-time password based authentication. It is stacked with pam_unix_auth module to accomplish two factor authentication. The pam_sm_authenticate() function verifies that the one-time password provided by the user and contained in the PAM item PAM_AUTHTOK matches the password generated based on the OTP configuration of the user specified in the item PAM_USER. The password generation algorithms and configuration inputs are based on RFC 4226 and RFC 6238.
Authentication service modules must implement both pam_sm_authenticate() and pam_sm_setcred() functions. To allow the authentication portion of UNIX authentication to be replaced, pam_sm_setcred() in this module always returns PAM_IGNORE. This module should be stacked with pam_unix_cred to ensure a successful return from pam_setcred. For more information, see the pam_unix_cred(5) and pam_setcred(3PAM) man pages.
It should be noted that when this module is added as "required" or "requisite" to a PAM stack, users must have a valid OTP configuration in order for the pam_otp_auth module to succeed. Adding OTP to a PAM configuration without first allowing each user to set up an authenticator will lock those users out of the applicable services until OTP is configured.
The module does not support any options.
The following error codes are returned from pam_sm_authenticate() function:
Authentication failure.
Memory buffer error.
Ignores module, not participating in result.
Permission denied.
Successfully authenticated the user.
System error.
No account present for user.
The following error code is returned from pam_sm_setcred() function:
Ignores this module regardless of the control flag.
libpam(3LIB), pam(3PAM), pam_authenticate(3PAM), pam_setcred(3PAM), pam.conf(4), pam_get_item(3PAM), pam_authtok_get(5)