[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]

Re: using one time passwords with conserver?

Bryan Stansell bryan@conserver.com
Sun, 23 Jul 2006 09:03:34 -0700 (PDT) 

hmm...well, that's kinda tricky.  the issue is that there are multiple
conserver process that the client talks to (the master, then the actual
one managing the console - in the simplest form).  the client actually
caches the password so that it can re-authenticate with the extra
processes without harassing the user.  in your case, you should be
getting multiple password requests, right?  you'd authenticate with the
first, conserver would try and re-use the password with the second,
fail, and then ask for the current password.

removing the need for multiple passwords *might* be possible.  i could
see removing the need for authenticating against the master
process...just have it skip password stuff (which means removing a few
lines of code) and let the user authenticate once against the process
managing the console.  this would allow folks to gather data...so not
something i'd do for the general release (well, maybe as an option), but
you may not like that either.

another possibility is to setup a "console" host that does nothing but
allow folks to access conserver (it could even be the same box).  when a
user logs in, instead of a shell, you get a console command that
attaches to some pre-determined console.  how does this help?  well, you
turn off all authentication in conserver and can assume that anyone
attaching has already authenticated with the host, so they should be who
they say they are.  and, actually, you could create a "noop" console
that they all fall into by default, and then they just need to use
"^ec;" to switch to another console.  kinda different, but doable, in my
opinion.  it's not a 100% solution, but it's close (in addition i'd say
they should all be "limited" users (in conserver.cf terms), but then you
wouldn't be able to switch consoles).

aside from that, i'm not sure what else to offer.

Bryan

On Fri, Jul 21, 2006 at 08:28:16AM -0400, Josh Lothian wrote:
> We're using RSA SecurID fobs here for all sorts of authentication.  We'd
> like to use them with conserver via PAM.  However, looking at the logs,
> it seems like conserver is trying to authenticate twice in quick
> succession.  The first one succeeds, but the second one fails - hence
> the "one time" password.  Any way to disable this?  
> 
> -jkl
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users