| Yubico Forum https://forum.yubico.com/ |
|
| PAM, YubiPAM-1.0.4, su and /usr/bin/kupdateapplet https://forum.yubico.com/viewtopic.php?f=4&t=543 |
Page 1 of 1 |
| Author: | boblikeslinux [ Wed Jun 16, 2010 11:27 am ] |
| Post subject: | PAM, YubiPAM-1.0.4, su and /usr/bin/kupdateapplet |
By adding into common-auth: auth sufficient pam_yubikey.so And reading the documentation I would have thought I could login also through su and kupdateapplet but this fails. I can login to console with Yubikey, I can sudo bash -l (rendering su - unnecessary, but still I want it to work), but a real bug bear is kupdateapplet not accepting yubikey as sufficient as I am having to always manually update. I don't know enough about PAM to configure it to work so I can use my Yubikey to login via su without a password and same with kupdateapplet. This is kind of stupid because I have in the past written my own PAM module. Anyhow, if you can help me please do I love my little yubikey and I'm going to try and get it into all sorts of interesting places... OS is OpenSUSE 11.2 Jun 16 15:10:08 bob yk_chkpwd[11077]: mismatch of dave|root |
|
| Author: | boblikeslinux [ Thu Jun 17, 2010 7:35 am ] |
| Post subject: | Re: PAM, YubiPAM-1.0.4, su and /usr/bin/kupdateapplet |
--- yk_chkpwd.c.orig 2008-09-24 08:55:24.000000000 +0100 +++ yk_chkpwd.c 2010-06-17 07:33:15.932005115 +0100 @@ -183,7 +183,12 @@ * We must thus skip the check if the real uid is 0. */ //if (SELINUX_ENABLED && getuid() == 0) - if (getuid() == 0) + /* I don't understand the point of this check. If the user is able to + * verify themselves as another user then why shouldn't the be allowed to? + * It breaks everything, su, PackageKit. Maybe you should add a flag for + * it but I don't care about this check for my system it's meaningless + * */ + if (1) { user=argv[1]; } |
|
| Author: | boblikeslinux [ Thu Jun 17, 2010 7:37 am ] |
| Post subject: | Re: PAM, YubiPAM-1.0.4, su and /usr/bin/kupdateapplet |
And now you can use the module for packagekit, etc. There probably is a point to that check (stop from trying to brute force anthers pass??? but it makes the module crippled) |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|