Yubico Forum

Hi all,

So the pam module works really well, got the authorised keys stuff all working as well.

What I am trying to do though is allow ssh access via yubikey without a password OR via password without the yubikey. Is there any way to get that happening? I was thinking of having an option to either require 2 factor or not possibly per user/per module.

The idea is to allow some users to login via shh or use sudo and similar via a yubikey while allowing other users to use passwords and PKI as normal.

Any help appreciated.

P1

The current Yubico PAM module is designed to support two factor authentication. Using the current PAM module it will not be possible to provide just YubiKey based one factor authentication (Username + YubiKey OTP) for some users and password based authentication for other users (Username + Password). However, using the current PAM module some users can be provided with YubiKey based two factor authentication (Username + Password + YubiKey OTP) and other users with password based authentication (Username + Password). Providing such a functionality would require some modifications in the current Yubico PAM module.

It is possible to configure PAM so that users can log in with YubiKey or password. Those users who don't have a YubiKey (specified in mapping file), can log in only with password.

I have done this with following auth-rules:



If sufficient-control returns OK, no further auth-rules are checked, so make sure that there are no more auth-lines after these.

PAM seems to be quite versatile, and different kind of modules can be stacked together to achieve desired behaviour. There is, for example, pam_lockout -module, that returns fail for specified user or group. More complex alternative could be pam_listfile, which is included in most distributions already. Using the substack-control in PAM configuration, it might be possible to do the following (or just about anything similar):

• by default, users can authenticate with a password
• users in group yubikey_auth_only must use a YubiKey (or password+YubiKey)

I will do some tests with these kind of configurations. If you are intrested, check the PAM documantation in http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html, and tell if you come up with a working solution.

Hello again,

I have now tested different configurations, and it is actually quite easy to require password+YubiKey for some users and just passwd for others. All this is accomplished with pam_succeed_if.so module along with some specific control values for PAM.

First, create group yubikey-passwd-auth. Also, have the YubiKey mapping file ready (mine is in etc/security/yubikey.map). Beware, if the user has no YubiKey mapping, and YubiKey-login is enforced, the user has no way to log in!

I created a file /etc/pam.d/yubikey-passwd-auth:


And, the following code must be added to a sevice file in /etc/pam.d/:


This code must be added just before the pam_unix.so call, or before the @include common-auth line (or similar).

You can go even further and configure your system so that:

• Users in yubikey-passwd-auth authenticate with passwd+Yubikey
• Users in yubikey-auth can authenticate with Yubikey, without password
• Other users use only password

For this, the yubikey-auth file would look like this:


How does this method look like? Are there any security considerations? Configuring two-factor authentication with PAM seems very elegant solution to me, as Yubico PAM module can be stacked with any other authentication module. There is also no need to modify the Yubico PAM module to support complex configurations.


- Mikko