Multiple passwords for ftp/ssh

[Jake Scott]

Hi.

I've just configured a new 5.3-Stable system to use nss_ldap and 
pam_ldap.  It's all working very well.  However, I'd like users to have 
two passwords - one for logging into services over encrypted links and 
one for unencrypted links - eg. one for ssh/imaps and another for 
http/imap/ftp.

I've created a new LDAP object class that provides a new attribute 
(insecurePassword).  nss_ldap is configured with a rootbinddn, and 
"nss_map_attribute  userPassword insecurePassword".  Now, getent() as 
root returns the insecurePassowrd for users.

So - I've got sshd's PAM config using pam_ldap and pam_unix, and ftp's 
PAM config just using pam_unix.  This means that when a user logs in via 
FTP, they must use the password stored in the insecurePassword 
attribute.  When logging in via SSH, they can use the password in the 
userPassword attribute (authenticated via an LDAP bind operation in 
pam_ldap).

The problem is that a user can also use their insecure password via ssh 
because I need pam_unix in the PAM chain so that users in the local 
password file can also log in.  Whan I'd like, is for a user in the LDAP 
directory to only be able to log in using their secure (userPassword) 
password.  It would be good if I could make the PAM chain stop if the 
presented password doesn't match the userPassword attribute - but to 
continue if that's because the user isn't in the directory.

Does anyone know if there's a way I can do this - or is there a better 
way to achieve this?


Many thanks in advance


Jake