Go to main content

man pages section 7: Standards, Environments, Macros, Character Sets, and Miscellany

Exit Print View

Updated: Wednesday, August 8, 2018
 
 

pam_otp_auth (7)

Name

pam_otp_auth - PAM authentication

Description

The pam_otp_auth module implements pam_sm_authenticate(), which provides functionality to the PAM authentication stack. It effectuates a stronger authentication system by implementing one-time password based authentication. It is stacked with pam_unix_auth module to accomplish two factor authentication. The pam_sm_authenticate() function verifies that the one-time password provided by the user and contained in the PAM item PAM_AUTHTOK matches the password generated based on the OTP configuration of the user specified in the item PAM_USER. The password generation algorithms and configuration inputs are based on RFC 4226 and RFC 6238.

Authentication service modules must implement both pam_sm_authenticate() and pam_sm_setcred() functions. To allow the authentication portion of UNIX authentication to be replaced, pam_sm_setcred() in this module always returns PAM_IGNORE. This module should be stacked with pam_unix_cred to ensure a successful return from pam_setcred. For more information, see the pam_unix_cred(7) and pam_setcred(3PAM) man pages.

It should be noted that when this module is added as "required" or "requisite" to a PAM stack, users must have a valid OTP configuration in order for the pam_otp_auth module to succeed. Adding OTP to a PAM configuration without first allowing each user to set up an authenticator will lock those users out of the applicable services until OTP is configured.

The module does not support any options.

Errors

The following error codes are returned from pam_sm_authenticate() function:

PAM_AUTH_ERR

Authentication failure.

PAM_BUF_ERR

Memory buffer error.

PAM_IGNORE

Ignores module, not participating in result.

PAM_PERM_DENIED

Permission denied.

PAM_SUCCESS

Successfully authenticated the user.

PAM_SYSTEM_ERR

System error.

PAM_USER_UNKNOWN

No account present for user.

The following error code is returned from pam_sm_setcred() function:

PAM_IGNORE

Ignores this module regardless of the control flag.

See Also

libpam(3LIB), pam(3PAM), pam_authenticate(3PAM), pam_setcred(3PAM), pam.conf(5), pam_get_item(3PAM), pam_authtok_get(7)