OTP feature for /bin/login
ralda at gmx.de
ralda at gmx.de
Tue May 8 18:24:34 UTC 2012
Hi Rich !
> The very fact that we're having a discussion about the redesign of
> this OTP system on the busybox list seems like proof enough that it's
> a very specialized need that does not belong on busybox.
Ok, this is an argument that hits.
... but what about a (not pam related) hook feature to add extra
authentication via a script (owned by root and only read/executable
by root). That way this script may implement any special requirements to
authenticate the provided secret. The hook shall only trigger when
enabled via /etc/passwd or /etc/shadow (lets say by a special passwd
entry - may be the name of the hook script with full path = leading
slash). That way only accounts configured for special authentication
trigger this feature. All other accounts (the default) are more
protected (thinking of system and daemon users). In addition providing
the hook script name ass passwd entry it is possible to have different
authentication methods on a single system, depending on name of user
account.
... this would be a low intrusive enhancement of Busybox to allow
alternate authentications without need of enabling full pam api.
Just as an idea (the way I would like to go).
--
Harald
More information about the busybox
mailing list