On Tue, Jan 26, 2010 at 04:34:56PM -0800, walt wrote: > After thinking awhile I realized that pam can be used to > combine muliple forms of authentication to reduce the well > documented risk of single-factor authentication (like our > traditional password system). > > Example: if I have an ordinary password, plus an ssh key > stored on a USB stick, plus a biometric device like an > eye scanner or a fingerprint scanner, I can then use any > or all of those methods to identify myself to the system > by configuring pam in the appropriate way.
Yes. First look at the PAM configuration section of this: http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader#Login_via_pam_bioapi Now if instead of having auth sufficient pam_unix.so ... auth sufficient pam_bioapi.so ... which says that either password log-in OR fingerprint scanner is enough, you change the first line to "auth required ...", per the docs http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-configuration-file.html you will then have a behaviour where BOTH password and fingerprint is involved. I think PAM is a Pretty Good Idea and its implementation is Very Cool, but I also think it is completely unnecessary on _my_ laptop. Cheers, W -- Willie W. Wong ww...@math.princeton.edu Data aequatione quotcunque fluentes quantitae involvente fluxiones invenire et vice versa ~~~ I. Newton