Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 6:54 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Sep 24, 2013 12:00 am 
Offline

Joined: Mon Sep 23, 2013 11:33 pm
Posts: 3
Hi all,

Done a bunch of reading through the topics here, as well as a bunch of Googling, and have not been able to find a satisfactory solution to my quandry.

Basically, I've gotten PAM + Yubikey two-factor authentication working fine on SSH as well as su/sudo, but I'd like to have a backup account that's capable of logging in without a Yubikey since the functionality requires internet access. My thinking is that if I'm ever in a situation where DNS/internet is messed up, and I'm doing maintenence on some machines via LAN, I won't be able to log in at all.

Firstly, my setup: 1 yubikey-bearing account, 1 non-yubikey bearing account. PAM module is configured for two-factor requirement, so both password and yubikey are required for any system auth functions. The yubikey-bearing account has an entry in the mapping file, the non-bearing account does not.

I've created a backup account, and it's not got an entry in the mapping file, so should not be queried for a Yubikey authentication. However, the PAM module still presents a yubikey query for all mentioned tasks(su, sudo, ssh) along with the password query.

I'm GUESSING, probably incorrectly, that something about the PAM stacking is off such that the yubikey module is required inappropriately...but I'm at a loss on how to fix it. Here's my PAM config for yubikeys:


Name: Yubico authentication with YubiKey
Default: no
Priority: 704
Auth-Type: Primary
Auth:
include pam_yubico.so mode=client id=16 debug authfile=/etc/yubikey_mappings try_first_pass
Auth-Initial:
include pam_yubico.so mode=client id=16 try_first_pass id=16 debug authfile=/etc/yubikey_mappings

Any ideas?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Sep 24, 2013 2:02 am 
Offline

Joined: Mon Sep 23, 2013 11:33 pm
Posts: 3
Also of note: VSFTPD no longer functions with the yubikey PAM module.


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 24, 2013 9:50 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
It doesn't allow opt-out
https://github.com/Yubico/yubico-pam/issues/20

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 25, 2013 8:25 am 
Offline

Joined: Mon Sep 23, 2013 11:33 pm
Posts: 3
I have to admit, it's disheartening that there's no backup method. My thinking is that in a network failure situation where configuration settings must be changed, there will be no way to log into any box that has a yubikey pam module enabled - ergo, you face the risk of permanent lock-out of your machines by deploying the PAM module...

Is it possible to change the failure mode of cURL fetches such that the PAM module returns a success? I would love to deploy yubikeys, but the current codebase makes diseaster recovery a nightmare.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group