You use OpenOTP 1.1 and if you do not set the password_mode parameter
(or set password_mode=0) in the PAM SSH config, the plugin will use
the new OpenOTP SimpleLogin API.
In this mode, OpenOTP assumes LDAP or OTP or LDAPOTP login mode -
automatically depending on the user configuration.
So the PAM plugin asks for "Password:" as it can be a LDAP or OTP
password.
If you need the old behavior (LDAPOTP with LDAP first and OTP in a
challenge), then you can set password_mode=1 in the PAM SSH config.
The PAM source code is :
/* ask for password */
if (pam_password == NULL) {
/* ask for a password */
/* pam_info(pamh, WELCOME_MSG); */
if (password_mode == 0) retval = pam_converse(pamh, "Password:
", &pam_password);
else if (password_mode == 1) retval = pam_converse(pamh, "LDAP
Password: ", &pam_password);
else if (password_mode == 2) retval = pam_converse(pamh, "OTP
Password: ", &pam_password);
else if (password_mode == 3) retval = pam_converse(pamh, "LDAP
+OTP Passwords: ", &pam_password);
else if (password_mode == 4) retval = pam_converse(pamh, "OTP
+LDAP Passwords: ", &pam_password);
else retval = pam_converse(pamh, "OTP+LDAP Passwords: ",
&pam_password);
if (retval != PAM_SUCCESS || pam_password == NULL) {
DLOG(LOG_ERR, "%sCould not get user password for user %s",
LOG_PREFIX, pam_user);
pam_set_result(pamh, retval);
return retval;
}
}
On Mar 1, 3:49 pm, Jibé <
jb.charpent...@gmail.com> wrote:
> Hi,
> Since I have upgraded libopenotp to 1.0.7-1 and pam_openotp to 1.0.6 I have
> find the following difference with my older version:
> when a user login the ssh sequence is the following :
>
> login as: user_a
> Access denied
> Using keyboard-interactive authentication.
> *Password*:
> Using keyboard-interactive authentication.
> Entrer votre TOKEN one-time password:
>
> With previous version pam module ask for LDAP Password and not just
> Password:
>
> login as: user_a
> Access denied
> Using keyboard-interactive authentication.
> *LDAP Password*: