# what happened to FreeBSD's PAM pam_stack module?



## Chris236 (Dec 7, 2018)

Around 2000 or so, FreeBSD had a pam module `pam_stack.so`. This executed another PAM stack and returned its result as its own.

Apparently later, FreeBSD moved to OpenPAM - which does not have it. OpenPAM has the `include ...` statement - but that is not the same, it only covers a small subset of functionality possible with pam_stack.so.  The main difference is that include has no control flag but works somewhat like `require pam_stack.so ...`, while other control flags are not possible. Another difference is that modules in an include statement break or finalize to the end of the main chain, while those in substacks only break or finalize to the end of the substack.

Linux also had and removed `pam_stack.so` - but  they replaced it with `include` and `substack`. 

So... what am I supposed to use in place of `pam_stack.so` ?

Backgroud: I want to implement ssh authentication with a 2 factor provider - but only for remnote users. Local users should be able to use ssh normally. 

with pam_stack this seems doable:


```
/etc/pam.d/remotessh
auth     requisite      login_access.so  .....   # this fails when the user is local
auth     required      pam_my2fa.so ...

/etc/pam.d/sshd
auth    sufficient    pam_stack.so service=remotessh
auth    required     pam_unix.so
```

How can I do that with today's  openpam?


----------



## johnblue (Jan 4, 2019)

Okay .. so out of the gate I am not replying because I have an answer.  I have been, however, wanting to start thinking about doing 2FA myself so I bring somewhat of vested interest to the table in your success!



This url talks about using CentOS with Google 2FA.  I trust Google about as far as I can throw my F350 crewcab truck so will not be making any additional comments on them specifically as a 2FA vendor.

I found it interesting that in the howto that the pam.d's conf file was edited to include a google .so along with an edit to the sshd conf.  Seems fairly logical to follow, eh?

Perhaps some cross pollination can take place here and provide the spark needed to get to a solution.  Although, I suspect that it will largely depend on the vendor you select.

Good hunting!


----------

