Yubico Forum ...visit our web-store at 2012-01-27T17:32:10+01:00 https://forum.yubico.com/feed.php?f=5&t=746 2012-01-27T17:32:10+01:00 2012-01-27T17:32:10+01:00 https://forum.yubico.com/viewtopic.php?t=746&p=2904#p2904 <![CDATA[Re: Fallback configuration]]>
Currently there is no configurable timeout in yubico-c-client.

Also, please note, the 2FA approach explained above could be circumvented by anyone who is able to DoS the connectivity between the validation client and the server.

Thanks,
Samir.

Statistics: Posted by samir — Fri Jan 27, 2012 5:32 pm

]]> 2012-01-22T02:22:47+01:00 2012-01-22T02:22:47+01:00 https://forum.yubico.com/viewtopic.php?t=746&p=2903#p2903 <![CDATA[Fallback configuration]]> I'm trying to set up a 2-way yubikey authentification (using yubico-pam and an internal server) on my server and came across a problem I couldn't solve.
What i'm trying to do is to set up a fallback configuration in case my validation server goes dark so that I don't get locked out.
So, I did use the distinction pam can make between auth_err and authinfo_unavail to achieve that. (like it is explained here : http://forum.yubico.com/viewtopic.php?f=3&t=739)
However, depending on the kind of issue the validation server is experiencing, it may fail :
- If I cut out the network from the server itself, the fallback configuration is indeed used and therefor it's good.
- But if the server is network-reachable but simply not responding (service down, iptable ban, etc.), it seems the yubico-pam module is waiting without restraint for it to answer, until the login attempt itself timeouts, therefore not granting a session. I didn't find how to configure a shorter timeout for the pam module.

Does any of you has an solution ?

Statistics: Posted by eltrai — Sun Jan 22, 2012 2:22 am

]]>