| Yubico Forum https://forum.yubico.com/ |
|
| Fallback configuration https://forum.yubico.com/viewtopic.php?f=5&t=746 |
Page 1 of 1 |
| Author: | eltrai [ Sun Jan 22, 2012 2:22 am ] |
| Post subject: | Fallback configuration |
Hi, I'm trying to set up a 2-way yubikey authentification (using yubico-pam and an internal server) on my server and came across a problem I couldn't solve. What i'm trying to do is to set up a fallback configuration in case my validation server goes dark so that I don't get locked out. So, I did use the distinction pam can make between auth_err and authinfo_unavail to achieve that. (like it is explained here : http://forum.yubico.com/viewtopic.php?f=3&t=739) However, depending on the kind of issue the validation server is experiencing, it may fail : - If I cut out the network from the server itself, the fallback configuration is indeed used and therefor it's good. - But if the server is network-reachable but simply not responding (service down, iptable ban, etc.), it seems the yubico-pam module is waiting without restraint for it to answer, until the login attempt itself timeouts, therefore not granting a session. I didn't find how to configure a shorter timeout for the pam module. Does any of you has an solution ? |
|
| Author: | samir [ Fri Jan 27, 2012 5:32 pm ] |
| Post subject: | Re: Fallback configuration |
Hi, Currently there is no configurable timeout in yubico-c-client. Also, please note, the 2FA approach explained above could be circumvented by anyone who is able to DoS the connectivity between the validation client and the server. Thanks, Samir. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|