The OPIE authentication service module for PAM,
provides functionality for only one PAM category:
that of authentication.
In terms of the
module-type
parameter, this is the
``auth
''
feature.
It also provides a null function for session management.
Note that this module does not enforce
opieaccess(5)
checks.
There is a separate module,
pam_opieaccess8,
for this purpose.
OPIE Authentication Module
The OPIE authentication component
provides functions to verify the identity of a user
(Fn pam_sm_authenticate
)
which obtains the relevant
opie(4)
credentials.
It provides the user with an OPIE challenge,
and verifies that this is correct with
opiechallenge(3).
The following options may be passed to the authentication module:
debug
syslog(3)
debugging information at
LOG_DEBUG
level.
auth_as_self
This option will require the user
to authenticate himself as the user
given by
getlogin(2),
not as the account they are attempting to access.
This is primarily for services like
su(1),
where the user's ability to retype
their own password
might be deemed sufficient.
no_fake_prompts
Do not generate fake challenges for users who do not have an OPIE key.
Note that this can leak information to a hypothetical attacker about
who uses OPIE and who does not, but it can be useful on systems where
some users want to use OPIE but most do not.
Note that
ignores the standard options
try_first_pass
and
use_first_pass
since a challenge must be generated before the user can submit a valid
response.
