Bearing in mind that ‘factor’ is an overloaded term within Cosign, the “Cosign Multi-Factor Specification, 20 March 2006, Draft 6” defines the necessary behaviour of a ‘factor’ as ‘external authenticator.’ Namely:
- External authenticator(s) are declared as follows in
/etc/cosign.conf:
factor <pathname> [-2] <form-field1> <formfield2> …
- Any such authenticator will be invoked if (and only if) all listed form-fields contain posted data.
- The value of each form-field is written to the authenticator on stdin, one per line, in the order in which they are listed in the configuration.
- If authentication is successful, the authenticator:
- writes the factor name to stdout
- exits with 0
Otherwise, the authenticator:
- writes an error message to stdout
- exits with 1
The -2 option to the factor keyword means that this factor is only checked after another (non -2) factor has been satisfied. It’s intended for use with factors which are vulnerable to denial-of-service attacks due to repeated authentication failures.