Control: tags -1 +patch Here's patch that, I think, may fix that problem.
--- pam_oath/pam_oath.c.orig 2015-12-15 00:15:32.070364666 -0500 +++ pam_oath/pam_oath.c 2015-12-15 00:15:33.462364695 -0500 @@ -72,6 +72,7 @@ char *usersfile; unsigned digits; unsigned window; + int missingok; }; static void @@ -86,6 +87,7 @@ cfg->usersfile = NULL; cfg->digits = -1; cfg->window = 5; + cfg->missingok = 0; for (i = 0; i < argc; i++) { @@ -103,6 +105,8 @@ cfg->digits = atoi (argv[i] + 7); if (strncmp (argv[i], "window=", 7) == 0) cfg->window = atoi (argv[i] + 7); + if (strcmp (argv[i], "missingok") == 0) + cfg->missingok = 1; } if (cfg->digits != 6 && cfg->digits != 7 && cfg->digits != 8) @@ -126,6 +130,7 @@ D (("usersfile=%s", cfg->usersfile ? cfg->usersfile : "(null)")); D (("digits=%d", cfg->digits)); D (("window=%d", cfg->window)); + D (("missingok=%d", cfg->missingok)); } } @@ -312,7 +317,7 @@ oath_strerror (rc), ctime (&last_otp))); } - if (rc != OATH_OK) + if (rc != OATH_OK && !(cfg->missingok && rc == OATH_UNKNOWN_USER)) { DBG (("One-time password not authorized to login as user '%s'", user)); retval = PAM_AUTH_ERR; --- pam_oath/README.orig 2015-12-15 00:18:18.886368111 -0500 +++ pam_oath/README 2015-12-15 00:18:07.298367872 -0500 @@ -224,6 +224,9 @@ "window": Specify search depth, an integer typically from 5 to 50 but other values can be useful too. + "missingok": If specified, users missing from the "usersfile" will be + considered authentified. + SSH Configuration ----------------- Feedback/testing welcome. -- Thoughtcrime does not entail death: thoughtcrime IS death. - Winston Smith, 1984