Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Thu Nov 29, 2012 9:30 pm 
Offline

Joined: Sat Mar 03, 2012 4:08 pm
Posts: 2
Hello,

My first time trying to set this up, so please bear with me if these are simple questions.

We want to set up our system to require users that are logging in using two-factor with a YubiKey to our Linux servers.

Our only complication is that our servers are hosted by a hosting providor. As such, they would not have a YubiKey availble to them.

Can I somehow set up the requirement for using the YubiKey on a per user basis?

As an example, John Doe works for us, but Jim Smith works for the hosting company.

As such, user ID jdoe would need a YubiKey, but user ID jsmith would just login with an ID and password.

Is this possible?

Thanks,

JT


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Nov 30, 2012 12:45 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

Please provide us details on which applications/services on the hosted linux servers (e.g. ssh or ftp or a web application etc.?) that you would like to enable for selective two-factor authentication. Please try to include as many details on your environment as possible (e.g. OS version, applications/services and software used etc.) so we can suggest a best solution to meet your requirement.

Best regards,
Samir.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 30, 2012 9:06 pm 
Offline

Joined: Sat Mar 03, 2012 4:08 pm
Posts: 2
Most of our servers are Red Hat Enterprise 5 (64 bit) and we have one Red Hat 6 (Enterprise) server. All using local OS authentication. We want to use the two-factor for SSH connections, as that is where most administration occurs.

These servers run LAMP, R and RStudio.

Thanks,

Jeff


Top
 Profile  
Reply with quote  
PostPosted: Mon Dec 03, 2012 9:02 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
TankerT wrote:
Most of our servers are Red Hat Enterprise 5 (64 bit) and we have one Red Hat 6 (Enterprise) server. All using local OS authentication. We want to use the two-factor for SSH connections, as that is where most administration occurs.

These servers run LAMP, R and RStudio.

Thanks,

Jeff


Hello Jeff,

Unfortunately you cannot do perform "discrete yubikey access" at the moment. You can remotely access your server and log in with a Yubikey, but you cannot enforce it only for some users. This might change in the near future but at the moment what you describe is not possible.

I hope this helps.
Tom.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 13, 2013 10:58 pm 
Offline

Joined: Thu Jun 13, 2013 9:53 pm
Posts: 5
Tom wrote:
Hello Jeff,

Unfortunately you cannot do perform "discrete yubikey access" at the moment. You can remotely access your server and log in with a Yubikey, but you cannot enforce it only for some users. This might change in the near future but at the moment what you describe is not possible.

I hope this helps.
Tom.


Hi Jeff,
I was wondering if any new effort has been put into this feature? We are in the process of evaluating a yubikey deployment for UNIX logins and we can not have specific accounts tied to OTP. They must be excluded (for example the root account). We require a way into the local system if the authentication server is down. I see that many other PAM auth modules have arguments for things like exclude_users, but this one does not seem to support one. Could you let us know where (if at all) this feature is on the roadmap?

Thanks,
-Steve


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 07, 2015 12:28 am 
Offline

Joined: Wed Jan 07, 2015 12:08 am
Posts: 1
Wouldn't you just use the pam module pam_succeed_if.so? The Following taken from an online doc for pam_succeed_if.so:


Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules.

type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...e


So the type would be "auth"
instead of uid > 500 it would be "user ingroup nonyubi"
instead of othermodule.so it would be the yubi pam module entry.

then create a group called nonyubi and add all the users that you don't want yubikey to be enforced for.

All this does is not load the line following the pam_succeed_if.so if the test is true.

Will this not work?

(This can also be reversed with notingroup test)

Jim


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group