Yubico Forum

Re: PAM, YubiPAM-1.0.4, su and /usr/bin/kupdateapplet

2010-06-17T07:37:02+01:00

And now you can use the module for packagekit, etc. There probably is a point to that check (stop from trying to brute force anthers pass??? but it makes the module crippled)

Statistics: Posted by boblikeslinux — Thu Jun 17, 2010 7:37 am

Re: PAM, YubiPAM-1.0.4, su and /usr/bin/kupdateapplet

2010-06-17T07:35:36+01:00

--- yk_chkpwd.c.orig 2008-09-24 08:55:24.000000000 +0100
+++ yk_chkpwd.c 2010-06-17 07:33:15.932005115 +0100
@@ -183,7 +183,12 @@
* We must thus skip the check if the real uid is 0.
*/
//if (SELINUX_ENABLED && getuid() == 0)
- if (getuid() == 0)
+ /* I don't understand the point of this check. If the user is able to
+ * verify themselves as another user then why shouldn't the be allowed to?
+ * It breaks everything, su, PackageKit. Maybe you should add a flag for
+ * it but I don't care about this check for my system it's meaningless
+ * */
+ if (1)
{
user=argv[1];
}

Statistics: Posted by boblikeslinux — Thu Jun 17, 2010 7:35 am

PAM, YubiPAM-1.0.4, su and /usr/bin/kupdateapplet

2010-06-16T11:27:51+01:00

By adding into common-auth:

auth sufficient pam_yubikey.so

And reading the documentation I would have thought I could login also through su and kupdateapplet but this fails.

I can login to console with Yubikey, I can sudo bash -l (rendering su - unnecessary, but still I want it to work), but a real bug bear is kupdateapplet not accepting yubikey as sufficient as I am having to always manually update.

I don't know enough about PAM to configure it to work so I can use my Yubikey to login via su without a password and same with kupdateapplet. This is kind of stupid because I have in the past written my own PAM module.

Anyhow, if you can help me please do I love my little yubikey and I'm going to try and get it into all sorts of interesting places...

OS is OpenSUSE 11.2

Jun 16 15:10:08 bob yk_chkpwd[11077]: mismatch of dave|root

Statistics: Posted by boblikeslinux — Wed Jun 16, 2010 11:27 am