Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:22 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Wed Jun 16, 2010 11:27 am 
Offline

Joined: Wed Jun 16, 2010 11:21 am
Posts: 4
By adding into common-auth:

auth sufficient pam_yubikey.so

And reading the documentation I would have thought I could login also through su and kupdateapplet but this fails.

I can login to console with Yubikey, I can sudo bash -l (rendering su - unnecessary, but still I want it to work), but a real bug bear is kupdateapplet not accepting yubikey as sufficient as I am having to always manually update.

I don't know enough about PAM to configure it to work so I can use my Yubikey to login via su without a password and same with kupdateapplet. This is kind of stupid because I have in the past written my own PAM module.

Anyhow, if you can help me please do I love my little yubikey and I'm going to try and get it into all sorts of interesting places...

OS is OpenSUSE 11.2

Jun 16 15:10:08 bob yk_chkpwd[11077]: mismatch of dave|root


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Jun 17, 2010 7:35 am 
Offline

Joined: Wed Jun 16, 2010 11:21 am
Posts: 4
--- yk_chkpwd.c.orig 2008-09-24 08:55:24.000000000 +0100
+++ yk_chkpwd.c 2010-06-17 07:33:15.932005115 +0100
@@ -183,7 +183,12 @@
* We must thus skip the check if the real uid is 0.
*/
//if (SELINUX_ENABLED && getuid() == 0)
- if (getuid() == 0)
+ /* I don't understand the point of this check. If the user is able to
+ * verify themselves as another user then why shouldn't the be allowed to?
+ * It breaks everything, su, PackageKit. Maybe you should add a flag for
+ * it but I don't care about this check for my system it's meaningless
+ * */
+ if (1)
{
user=argv[1];
}


Top
 Profile  
Reply with quote  
PostPosted: Thu Jun 17, 2010 7:37 am 
Offline

Joined: Wed Jun 16, 2010 11:21 am
Posts: 4
And now you can use the module for packagekit, etc. There probably is a point to that check (stop from trying to brute force anthers pass??? but it makes the module crippled)


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group