Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:29 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Wed Jul 08, 2009 8:53 am 
Offline

Joined: Wed Jul 08, 2009 8:43 am
Posts: 1
Hi all,

So the pam module works really well, got the authorised keys stuff all working as well.

What I am trying to do though is allow ssh access via yubikey without a password OR via password without the yubikey. Is there any way to get that happening? I was thinking of having an option to either require 2 factor or not possibly per user/per module.

The idea is to allow some users to login via shh or use sudo and similar via a yubikey while allowing other users to use passwords and PKI as normal.

Any help appreciated.

P1


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jul 09, 2009 8:55 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
The current Yubico PAM module is designed to support two factor authentication. Using the current PAM module it will not be possible to provide just YubiKey based one factor authentication (Username + YubiKey OTP) for some users and password based authentication for other users (Username + Password). However, using the current PAM module some users can be provided with YubiKey based two factor authentication (Username + Password + YubiKey OTP) and other users with password based authentication (Username + Password). Providing such a functionality would require some modifications in the current Yubico PAM module.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 26, 2009 7:25 am 
Offline

Joined: Mon Apr 27, 2009 8:49 am
Posts: 3
It is possible to configure PAM so that users can log in with YubiKey or password. Those users who don't have a YubiKey (specified in mapping file), can log in only with password.

I have done this with following auth-rules:

Code:
auth  sufficient pam_yubico.so (arguments...)
auth  required  pam_unix.so (arguments...)


If sufficient-control returns OK, no further auth-rules are checked, so make sure that there are no more auth-lines after these.

PAM seems to be quite versatile, and different kind of modules can be stacked together to achieve desired behaviour. There is, for example, pam_lockout -module, that returns fail for specified user or group. More complex alternative could be pam_listfile, which is included in most distributions already. Using the substack-control in PAM configuration, it might be possible to do the following (or just about anything similar):

  • by default, users can authenticate with a password
  • users in group yubikey_auth_only must use a YubiKey (or password+YubiKey)

I will do some tests with these kind of configurations. If you are intrested, check the PAM documantation in http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html, and tell if you come up with a working solution.


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 31, 2009 3:07 pm 
Offline

Joined: Mon Apr 27, 2009 8:49 am
Posts: 3
Hello again,

I have now tested different configurations, and it is actually quite easy to require password+YubiKey for some users and just passwd for others. All this is accomplished with pam_succeed_if.so module along with some specific control values for PAM.

First, create group yubikey-passwd-auth. Also, have the YubiKey mapping file ready (mine is in etc/security/yubikey.map). Beware, if the user has no YubiKey mapping, and YubiKey-login is enforced, the user has no way to log in!

I created a file /etc/pam.d/yubikey-passwd-auth:
Code:
# PAM configuration file for password+YubiKey authentication, if the user
# is in group yubikey-passwd-auth

# Skip the following rules if user is not in the specified group
auth    [success=2 default=ignore] pam_succeed_if.so    quiet  user notingroup yubikey-passwd-auth

# Perform YubiKey authentication and die if this fails
auth  requisite      pam_yubico.so    id=XX authfile=/etc/security/yubikey.map

# Check the password returned from the pam_yubico module, declare authentication done
# if this succeeds, die if it fails
auth  [success=done default=die]  pam_unix.so    use_first_pass


And, the following code must be added to a sevice file in /etc/pam.d/:
Code:
@include yubikey-passwd-auth


This code must be added just before the pam_unix.so call, or before the @include common-auth line (or similar).

You can go even further and configure your system so that:
  • Users in yubikey-passwd-auth authenticate with passwd+Yubikey
  • Users in yubikey-auth can authenticate with Yubikey, without password
  • Other users use only password

For this, the yubikey-auth file would look like this:
Code:
# PAM configuration file for YubiKey authentication, if the user is in group yubikey-auth

# Skip the following rule if user is not in the specified group
auth    [success=1 default=ignore] pam_succeed_if.so    quiet  user notingroup yubikey-auth

# Perform YubiKey authentication
auth  [success=done default=die]   pam_yubico.so    id=XX authfile=/etc/security/yubikey.map


How does this method look like? Are there any security considerations? Configuring two-factor authentication with PAM seems very elegant solution to me, as Yubico PAM module can be stacked with any other authentication module. There is also no need to modify the Yubico PAM module to support complex configurations.


- Mikko


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group