Hi Berry, On Wed, May 22, 2019 at 08:47:25AM +0000, van Sleeuwen, Berry wrote: > > I didn't configure anything in pam. I added .ssh/authorized_keys for my user > and then configured putty (pagent) to use my smartcard.
Ok... I am not sure how putty uses the smartcard and which configuration is required on the SSH server side. > But you do point me to the reason the login differs between ssh and > iucvconn. The ssh login uses my stored .ssh/authorized_keys but when we use > iucvconn we are outside ssh. You are right. iucvconn connects to the hvc terminal device (or iucvtty instance). It finally depends which "login" program runs on the terminal to offer authentication. In typical installations, this will be agetty which a PAM service configuration for authentication, authorization, and session management. > > So the question is what to configure to use this outside ssh? We have the > authorized_keys available for the user but in some way this now should be > used outside of ssh. Or should we use a different authentication method when > connecting to iucv based terminals? >From my perspective, check the the PAM configuration for the SSH server and the common-auth* PAM configuration files in /etc/pam.d/. For example, you might have a look at pam-oath which handles OTP tokes for 2FA (never tried that so far). Thanks and kind regards, Hendrik -- Hendrik Brueckner brueck...@linux.ibm.com | IBM Deutschland Research & Development GmbH Linux on z Systems Development | Schoenaicher Str. 220, 71032 Boeblingen IBM Deutschland Research & Development GmbH Vorsitzender des Aufsichtsrats: Matthias Hartmann Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390