Yubico Forum https://forum.yubico.com/ |
|
Exclude a userid from needing a YubiKey on Linux? https://forum.yubico.com/viewtopic.php?f=3&t=882 |
Page 1 of 1 |
Author: | TankerT [ Thu Nov 29, 2012 9:30 pm ] |
Post subject: | Exclude a userid from needing a YubiKey on Linux? |
Hello, My first time trying to set this up, so please bear with me if these are simple questions. We want to set up our system to require users that are logging in using two-factor with a YubiKey to our Linux servers. Our only complication is that our servers are hosted by a hosting providor. As such, they would not have a YubiKey availble to them. Can I somehow set up the requirement for using the YubiKey on a per user basis? As an example, John Doe works for us, but Jim Smith works for the hosting company. As such, user ID jdoe would need a YubiKey, but user ID jsmith would just login with an ID and password. Is this possible? Thanks, JT |
Author: | samir [ Fri Nov 30, 2012 12:45 pm ] |
Post subject: | Re: Exclude a userid from needing a YubiKey on Linux? |
Hello, Please provide us details on which applications/services on the hosted linux servers (e.g. ssh or ftp or a web application etc.?) that you would like to enable for selective two-factor authentication. Please try to include as many details on your environment as possible (e.g. OS version, applications/services and software used etc.) so we can suggest a best solution to meet your requirement. Best regards, Samir. |
Author: | TankerT [ Fri Nov 30, 2012 9:06 pm ] |
Post subject: | Re: Exclude a userid from needing a YubiKey on Linux? |
Most of our servers are Red Hat Enterprise 5 (64 bit) and we have one Red Hat 6 (Enterprise) server. All using local OS authentication. We want to use the two-factor for SSH connections, as that is where most administration occurs. These servers run LAMP, R and RStudio. Thanks, Jeff |
Author: | Tom [ Mon Dec 03, 2012 9:02 am ] |
Post subject: | Re: Exclude a userid from needing a YubiKey on Linux? |
TankerT wrote: Most of our servers are Red Hat Enterprise 5 (64 bit) and we have one Red Hat 6 (Enterprise) server. All using local OS authentication. We want to use the two-factor for SSH connections, as that is where most administration occurs. These servers run LAMP, R and RStudio. Thanks, Jeff Hello Jeff, Unfortunately you cannot do perform "discrete yubikey access" at the moment. You can remotely access your server and log in with a Yubikey, but you cannot enforce it only for some users. This might change in the near future but at the moment what you describe is not possible. I hope this helps. Tom. |
Author: | darkavich [ Thu Jun 13, 2013 10:58 pm ] |
Post subject: | Re: Exclude a userid from needing a YubiKey on Linux? |
Tom wrote: Hello Jeff, Unfortunately you cannot do perform "discrete yubikey access" at the moment. You can remotely access your server and log in with a Yubikey, but you cannot enforce it only for some users. This might change in the near future but at the moment what you describe is not possible. I hope this helps. Tom. Hi Jeff, I was wondering if any new effort has been put into this feature? We are in the process of evaluating a yubikey deployment for UNIX logins and we can not have specific accounts tied to OTP. They must be excluded (for example the root account). We require a way into the local system if the authentication server is down. I see that many other PAM auth modules have arguments for things like exclude_users, but this one does not seem to support one. Could you let us know where (if at all) this feature is on the roadmap? Thanks, -Steve |
Author: | jrl657 [ Wed Jan 07, 2015 12:28 am ] |
Post subject: | Re: Exclude a userid from needing a YubiKey on Linux? |
Wouldn't you just use the pam module pam_succeed_if.so? The Following taken from an online doc for pam_succeed_if.so: Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules. type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500 type required othermodule.so arguments...e So the type would be "auth" instead of uid > 500 it would be "user ingroup nonyubi" instead of othermodule.so it would be the yubi pam module entry. then create a group called nonyubi and add all the users that you don't want yubikey to be enforced for. All this does is not load the line following the pam_succeed_if.so if the test is true. Will this not work? (This can also be reversed with notingroup test) Jim |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |