Yubico Forum

Hi all,

I've just got my server set up with the PAM module for SSH login and it works great! However, the process got me thinking; what happens in the event that you need to log in if the machine's networking (or the Yubico servers themselves) is down?

Is there a PAM configuration that will allow the Yubikey PAM module auth to be mandatory in the (normal) situation that networking is up, but to fall back to normal password auth if for whatever reason the network is unavailable? I don't want to make the Yubikey auth "sufficient", because as I understand it, that would mean that all an attacker would have to do to bypass the OTP would be to enter a couple of null OTPs.

I know there are a lot of variables here... what happens if networking is up but mangled, how do you reliably and efficiently check for the availability of a web service etc... but I hear PAM is pretty flexible so thought I'd ask the question

Cheers!

-- Tim

Take a look at pam.conf(5) in the section about the "more complicated syntax" with square bracket notation. pam_yubico returns auth_err in case of an invalid or replayed OTP, but authinfo_unavail if it can't reach the server. You can write some logic to fail on auth_err, but try other modules on authinfo_unavail.

Thanks bjencks, that's exactly what I'm looking for. Clearly should have RTFM'd a little harder!