Yubico Forum

Fallback configuration
Page 1 of 1

Author:  eltrai [ Sun Jan 22, 2012 2:22 am ]
Post subject:  Fallback configuration

I'm trying to set up a 2-way yubikey authentification (using yubico-pam and an internal server) on my server and came across a problem I couldn't solve.
What i'm trying to do is to set up a fallback configuration in case my validation server goes dark so that I don't get locked out.
So, I did use the distinction pam can make between auth_err and authinfo_unavail to achieve that. (like it is explained here : http://forum.yubico.com/viewtopic.php?f=3&t=739)
However, depending on the kind of issue the validation server is experiencing, it may fail :
- If I cut out the network from the server itself, the fallback configuration is indeed used and therefor it's good.
- But if the server is network-reachable but simply not responding (service down, iptable ban, etc.), it seems the yubico-pam module is waiting without restraint for it to answer, until the login attempt itself timeouts, therefore not granting a session. I didn't find how to configure a shorter timeout for the pam module.

Does any of you has an solution ?

Author:  samir [ Fri Jan 27, 2012 5:32 pm ]
Post subject:  Re: Fallback configuration


Currently there is no configurable timeout in yubico-c-client.

Also, please note, the 2FA approach explained above could be circumvented by anyone who is able to DoS the connectivity between the validation client and the server.


Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group