[OpenIndiana-discuss] PAM risk based authentication?
James Carlson
carlsonj at workingcode.com
Fri Dec 11 12:53:16 UTC 2015
On 12/11/15 4:08 AM, Stefan Müller-Wilken wrote:
> Well, also an approach, but restricted to SSH only. My requirement is to conditionally include PAM modules, so tuning httpd will not suffice, I'm afraid. But thanks for the idea!
I don't think the PAM stack itself can be conditional, but the modules
in the stack can do conditional processing. If you have a second-factor
authentication mechanism included in the stack and listed as
"requisite", then it can do the address range checking work and (if the
address is OK) return success to continue the authentication process or
(if the address is suspicious) perform additional authentication and
deny immediately if bad.
I haven't used it, but there's a module called "pam_shield" that might
be a good starting point on building such a beast.
--
James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
More information about the openindiana-discuss
mailing list