Yubico Forum

Hi,
I'm trying to set up a 2-way yubikey authentification (using yubico-pam and an internal server) on my server and came across a problem I couldn't solve.
What i'm trying to do is to set up a fallback configuration in case my validation server goes dark so that I don't get locked out.
So, I did use the distinction pam can make between auth_err and authinfo_unavail to achieve that. (like it is explained here : http://forum.yubico.com/viewtopic.php?f=3&t=739)
However, depending on the kind of issue the validation server is experiencing, it may fail :
- If I cut out the network from the server itself, the fallback configuration is indeed used and therefor it's good.
- But if the server is network-reachable but simply not responding (service down, iptable ban, etc.), it seems the yubico-pam module is waiting without restraint for it to answer, until the login attempt itself timeouts, therefore not granting a session. I didn't find how to configure a shorter timeout for the pam module.

Does any of you has an solution ?

Hi,

Currently there is no configurable timeout in yubico-c-client.

Also, please note, the 2FA approach explained above could be circumvented by anyone who is able to DoS the connectivity between the validation client and the server.

Thanks,
Samir.