| Yubico Forum https://forum.yubico.com/ |
|
| Backup account in PAM that does not require yubikey to login https://forum.yubico.com/viewtopic.php?f=23&t=1173 |
Page 1 of 1 |
| Author: | tpcgk [ Tue Sep 24, 2013 12:00 am ] |
| Post subject: | Backup account in PAM that does not require yubikey to login |
Hi all, Done a bunch of reading through the topics here, as well as a bunch of Googling, and have not been able to find a satisfactory solution to my quandry. Basically, I've gotten PAM + Yubikey two-factor authentication working fine on SSH as well as su/sudo, but I'd like to have a backup account that's capable of logging in without a Yubikey since the functionality requires internet access. My thinking is that if I'm ever in a situation where DNS/internet is messed up, and I'm doing maintenence on some machines via LAN, I won't be able to log in at all. Firstly, my setup: 1 yubikey-bearing account, 1 non-yubikey bearing account. PAM module is configured for two-factor requirement, so both password and yubikey are required for any system auth functions. The yubikey-bearing account has an entry in the mapping file, the non-bearing account does not. I've created a backup account, and it's not got an entry in the mapping file, so should not be queried for a Yubikey authentication. However, the PAM module still presents a yubikey query for all mentioned tasks(su, sudo, ssh) along with the password query. I'm GUESSING, probably incorrectly, that something about the PAM stacking is off such that the yubikey module is required inappropriately...but I'm at a loss on how to fix it. Here's my PAM config for yubikeys: Name: Yubico authentication with YubiKey Default: no Priority: 704 Auth-Type: Primary Auth: include pam_yubico.so mode=client id=16 debug authfile=/etc/yubikey_mappings try_first_pass Auth-Initial: include pam_yubico.so mode=client id=16 try_first_pass id=16 debug authfile=/etc/yubikey_mappings Any ideas? |
|
| Author: | tpcgk [ Tue Sep 24, 2013 2:02 am ] |
| Post subject: | Re: Backup account in PAM that does not require yubikey to l |
Also of note: VSFTPD no longer functions with the yubikey PAM module. |
|
| Author: | Tom [ Tue Sep 24, 2013 9:50 am ] |
| Post subject: | Re: Backup account in PAM that does not require yubikey to l |
It doesn't allow opt-out https://github.com/Yubico/yubico-pam/issues/20 |
|
| Author: | tpcgk [ Wed Sep 25, 2013 8:25 am ] |
| Post subject: | Re: Backup account in PAM that does not require yubikey to l |
I have to admit, it's disheartening that there's no backup method. My thinking is that in a network failure situation where configuration settings must be changed, there will be no way to log into any box that has a yubikey pam module enabled - ergo, you face the risk of permanent lock-out of your machines by deploying the PAM module... Is it possible to change the failure mode of cURL fetches such that the PAM module returns a success? I would love to deploy yubikeys, but the current codebase makes diseaster recovery a nightmare. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|