Dual Authentication using Linux

Dual Authentication working with VAS or else an explanation as to why it is not possible.

Our understanding of dual authentication derives from the remarks on p. 56 of the Vintella Authentication Services 3.3.2 Solutions Guide, in the section Mapped User Mode. These remarks refer to PAM and state


"Though not the default configuration, you can configure a system to allow
mapped local accounts to be able to authenticate with either their old system
account password or the password of the Active Directory account to which they
are mapped. To do this, modify your system's PAM configuration. You will see
the pam_vas3 module configured near the top of the PAM stack. The module
configuration should consist of two lines: auth sufficient pam_vas3.so create_homedir get_nonvas_pass auth requisite pam_vas3.so echo_return

To allow authentication with both passwords, remove the second line." On customer systems (Red Hat Enterprise Linux AS 4) this does not work. PAM logging shows no evidence that the local user password is looked up. We login only via ssh (Quest OpenSSH version 4.7p1_q1.217). At present all logins are from a linux jump host to the desired host. Does this require any special configuration? PAM configs suggest that authentication is passed to system-auth. While dual authentication is not part of our long term solution it has been requested by users as a prerequisite for migration and our failure to get it working is holding us up. Thanks

  • We are transitioning from a local Kerberos realm with NIS for account names to VAS Kerberos with LDAP.  The system-auth file below seems to work OK with both systems:

    auth        required      /lib/security/$ISA/pam_env.so
    auth  sufficient  pam_vas3.so  create_homedir get_nonvas_pass
    auth  requisite  pam_vas3.so  echo_return
    auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok use_first_pass
    auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
    auth        required      /lib/security/$ISA/pam_deny.so

    account  sufficient  pam_vas3.so
    account  requisite  pam_vas3.so  echo_return
    account     required      /lib/security/$ISA/pam_unix.so broken_shadow
    account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
    account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
    account     required      /lib/security/$ISA/pam_permit.so

    password  sufficient  pam_vas3.so
    password  requisite  pam_vas3.so  echo_return
    password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
    password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
    password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
    password    required      /lib/security/$ISA/pam_deny.so

    session     required      /lib/security/$ISA/pam_limits.so
    session  required  pam_vas3.so  create_homedir
    session  requisite  pam_vas3.so  echo_return
    session     required      /lib/security/$ISA/pam_unix.so
    session     optional      /lib/security/$ISA/pam_krb5.so