Bastian Tweddell wrote:
On 17Jan23 17:33+0000, Howard Chu wrote:
> Sounds more like a question for your SSH server, and whether you can configure it to
use PAM
> after a successful pubkey authentication.
Yes, PAM is enabled for sshd.
I do not have the full picture how slap-totp works. For me, there two
open questions:
1. From openldap pov:
How would I make the bind call to slapd, so that only
the TOTP is checked?
If you're talking about the totp module in the contrib source directory, all you need
to do is a normal LDAP Simple Bind. LDAP modules for PAM would do this already.
Would the following be sufficient to achieve 2FA only:
```ldif:
userPassword: {TOTP512}$BASE64
# assuming the overlay is confgured properly
```
Yes.
Would it be possible to use another attribute than `userPassword`?
Not with the existing code, no.
2. PAM integration: This is not a question to this group here, but maybe
there are some related ideas.
How or which PAM module can be used?
nsspam-ldapd / nslcd, whatever the latest supported version is.
The aim is to avoid copying the TOTP secret of users to the local
systems (which are the public accessible hosts).
Many thanks,
Cheers,
--
Bastian Tweddell Juelich Supercomputing Centre
phone: +49 (2461) 61-6586 HPC in Neuroscience, HPS
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/project/