Yubico Forum
https://forum.yubico.com/

PAM configuration for fallback in case networking is down
https://forum.yubico.com/viewtopic.php?f=3&t=739		 Page 1 of 1
Author:  timeggleston [ Mon Jan 02, 2012 11:14 pm ]
Post subject:  PAM configuration for fallback in case networking is down
Hi all,

I've just got my server set up with the PAM module for SSH login and it works great! However, the process got me thinking; what happens in the event that you need to log in if the machine's networking (or the Yubico servers themselves) is down?

Is there a PAM configuration that will allow the Yubikey PAM module auth to be mandatory in the (normal) situation that networking is up, but to fall back to normal password auth if for whatever reason the network is unavailable? I don't want to make the Yubikey auth "sufficient", because as I understand it, that would mean that all an attacker would have to do to bypass the OTP would be to enter a couple of null OTPs.

I know there are a lot of variables here... what happens if networking is up but mangled, how do you reliably and efficiently check for the availability of a web service etc... but I hear PAM is pretty flexible so thought I'd ask the question :)

Cheers!

-- Tim
Author:  bjencks [ Thu Jan 12, 2012 12:04 am ]
Post subject:  Re: PAM configuration for fallback in case networking is dow
Take a look at pam.conf(5) in the section about the "more complicated syntax" with square bracket notation. pam_yubico returns auth_err in case of an invalid or replayed OTP, but authinfo_unavail if it can't reach the server. You can write some logic to fail on auth_err, but try other modules on authinfo_unavail.
Author:  timeggleston [ Thu Jan 12, 2012 8:41 am ]
Post subject:  Re: PAM configuration for fallback in case networking is dow
Thanks bjencks, that's exactly what I'm looking for. Clearly should have RTFM'd a little harder!
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/