Skip to content


Subversion checkout URL

You can clone with
Download ZIP
101 lines (87 sloc) 4.17 KB
For building this package you will probably need original Wietse Venema's
logdaemon package if you are on system without libskey (like Linux).
However, this package will try to use system libskey as well as Yuri
Yudin's S/Key package. You should have functional `libskey.a' or
`' (library containing some of the functions we are using) and
other required utilities (`keyinfo', `keyprint', `skeyaccess', `key',
`keyinit') as you would normally do.
Configuring and making
Next step should be running `configure' script, that will try to determine
parameters of your system. Use `--with-skey-inc=PATH_TO_SKEY_INCLUDES' and
`--with-skey-lib=PATH_TO_SKEY_LIBRARY' to specify where to find valid
S/Key installation, if it is not in standard paths. For example:
./configure --prefix=/usr/local --with-skey-inc=../logdaemon-5.8/skey \
It will test various aspects of include files, libraries, library calls,
and trace potential problems. It should leave valid Makefile afterwards
for make.
If you did not specified standard prefix with `--prefix=PATH', default
installation path will be `/usr/lib/security'. There should reside
`' and `', as well as symlinks for them
ending in `.so' suffix.
If you did all this successfully, now it is time for you to setup your
local PAM configuration files. They can be either pam.conf either
pam.d/<service>, depending on PAM implementation. I am including examples
of standard PAM modules stacking. For detailed module options check
chapter `Options'.
su auth sufficient
su auth required
su auth required try_first_pass
auth requisite
auth requisite
auth required
auth sufficient
auth requisite
auth required try_first_pass
For more detailed description, check local pam manpages.
NOTE: Solaris does not approve option `use_first_pass' for `'
module if it not `optional'. Beware. As a solution, simply specify
`try_first_pass' and if skey fails, it will again prompt for password.
Fine tuning
If you want to be sure that people that do not fit in range of addresses
mentioned in skey.access use S/Keys, you can specify it this way:
1) enter correct ACLs in skey.access
2) turn off access check for (turned off by default)
3) make requisite/required module *after*
This way you will get this behavior: all people can use S/Keys, since
they are not checked in ACL. If someone uses plaintext password, will fail and control will be given to next module (since is sufficient, but not required). Next module - - will check ACL, and if it fails, complete pam_auth
process will fail, and plaintext password from host that is denied will
That is emulation of original behavior of Venema's skeylogin that most of
the people have been using.
NOTE: You do not have to use if you do not plan to
check ACLs.
This module understands following options that can be specified in pam
configuration files:
debug - Turns on debugging output through syslog() calls
echo=off - Turns off PAM_ECHO, service will not show passwd
on screen when typing. By default is this option
echo=on - Inverse of the above option
access_check=on - Checks S/Key access through skeyaccess() call,
it will check keyaccess file
access_check=off - Obviously, inverse of the above option. By
default is this option used.
use_first_pass - Helpful for stacking PAM modules, it will try to
use passwd string from previous module if it
try_first_pass - Alias for the above
only_one_try - It allows only one password try per PAM session
See COPYING file.
Jump to Line
Something went wrong with that request. Please try again.