Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:24 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Mon Jan 02, 2012 11:14 pm 
Offline

Joined: Mon Jan 02, 2012 11:08 pm
Posts: 2
Hi all,

I've just got my server set up with the PAM module for SSH login and it works great! However, the process got me thinking; what happens in the event that you need to log in if the machine's networking (or the Yubico servers themselves) is down?

Is there a PAM configuration that will allow the Yubikey PAM module auth to be mandatory in the (normal) situation that networking is up, but to fall back to normal password auth if for whatever reason the network is unavailable? I don't want to make the Yubikey auth "sufficient", because as I understand it, that would mean that all an attacker would have to do to bypass the OTP would be to enter a couple of null OTPs.

I know there are a lot of variables here... what happens if networking is up but mangled, how do you reliably and efficiently check for the availability of a web service etc... but I hear PAM is pretty flexible so thought I'd ask the question :)

Cheers!

-- Tim


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jan 12, 2012 12:04 am 
Offline

Joined: Wed Jan 11, 2012 8:48 pm
Posts: 5
Take a look at pam.conf(5) in the section about the "more complicated syntax" with square bracket notation. pam_yubico returns auth_err in case of an invalid or replayed OTP, but authinfo_unavail if it can't reach the server. You can write some logic to fail on auth_err, but try other modules on authinfo_unavail.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 12, 2012 8:41 am 
Offline

Joined: Mon Jan 02, 2012 11:08 pm
Posts: 2
Thanks bjencks, that's exactly what I'm looking for. Clearly should have RTFM'd a little harder!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group