Done a bunch of reading through the topics here, as well as a bunch of Googling, and have not been able to find a satisfactory solution to my quandry.
Basically, I've gotten PAM + Yubikey two-factor authentication working fine on SSH as well as su/sudo, but I'd like to have a backup account that's capable of logging in without a Yubikey since the functionality requires internet access. My thinking is that if I'm ever in a situation where DNS/internet is messed up, and I'm doing maintenence on some machines via LAN, I won't be able to log in at all.
Firstly, my setup: 1 yubikey-bearing account, 1 non-yubikey bearing account. PAM module is configured for two-factor requirement, so both password and yubikey are required for any system auth functions. The yubikey-bearing account has an entry in the mapping file, the non-bearing account does not.
I've created a backup account, and it's not got an entry in the mapping file, so should not be queried for a Yubikey authentication. However, the PAM module still presents a yubikey query for all mentioned tasks(su, sudo, ssh) along with the password query.
I'm GUESSING, probably incorrectly, that something about the PAM stacking is off such that the yubikey module is required inappropriately...but I'm at a loss on how to fix it. Here's my PAM config for yubikeys:
Name: Yubico authentication with YubiKey
Default: no
Priority: 704
Auth-Type: Primary
Auth:
include pam_yubico.so mode=client id=16 debug authfile=/etc/yubikey_mappings try_first_pass
Auth-Initial:
include pam_yubico.so mode=client id=16 try_first_pass id=16 debug authfile=/etc/yubikey_mappings
Any ideas?Statistics: Posted by tpcgk — Tue Sep 24, 2013 12:00 am
]]>