Yubico Forum

using pam module for SSH auth without requiring passwd
Page 1 of 1

Author:  pl4yer0ne [ Wed Jul 08, 2009 8:53 am ]
Post subject:  using pam module for SSH auth without requiring passwd

Hi all,

So the pam module works really well, got the authorised keys stuff all working as well.

What I am trying to do though is allow ssh access via yubikey without a password OR via password without the yubikey. Is there any way to get that happening? I was thinking of having an option to either require 2 factor or not possibly per user/per module.

The idea is to allow some users to login via shh or use sudo and similar via a yubikey while allowing other users to use passwords and PKI as normal.

Any help appreciated.


Author:  network-marvels [ Thu Jul 09, 2009 8:55 am ]
Post subject:  Re: using pam module for SSH auth without requiring passwd

The current Yubico PAM module is designed to support two factor authentication. Using the current PAM module it will not be possible to provide just YubiKey based one factor authentication (Username + YubiKey OTP) for some users and password based authentication for other users (Username + Password). However, using the current PAM module some users can be provided with YubiKey based two factor authentication (Username + Password + YubiKey OTP) and other users with password based authentication (Username + Password). Providing such a functionality would require some modifications in the current Yubico PAM module.

Author:  msvilp [ Wed Aug 26, 2009 7:25 am ]
Post subject:  Re: using pam module for SSH auth without requiring passwd

It is possible to configure PAM so that users can log in with YubiKey or password. Those users who don't have a YubiKey (specified in mapping file), can log in only with password.

I have done this with following auth-rules:

auth  sufficient pam_yubico.so (arguments...)
auth  required  pam_unix.so (arguments...)

If sufficient-control returns OK, no further auth-rules are checked, so make sure that there are no more auth-lines after these.

PAM seems to be quite versatile, and different kind of modules can be stacked together to achieve desired behaviour. There is, for example, pam_lockout -module, that returns fail for specified user or group. More complex alternative could be pam_listfile, which is included in most distributions already. Using the substack-control in PAM configuration, it might be possible to do the following (or just about anything similar):

  • by default, users can authenticate with a password
  • users in group yubikey_auth_only must use a YubiKey (or password+YubiKey)

I will do some tests with these kind of configurations. If you are intrested, check the PAM documantation in http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html, and tell if you come up with a working solution.

Author:  msvilp [ Mon Aug 31, 2009 3:07 pm ]
Post subject:  Re: using pam module for SSH auth without requiring passwd

Hello again,

I have now tested different configurations, and it is actually quite easy to require password+YubiKey for some users and just passwd for others. All this is accomplished with pam_succeed_if.so module along with some specific control values for PAM.

First, create group yubikey-passwd-auth. Also, have the YubiKey mapping file ready (mine is in etc/security/yubikey.map). Beware, if the user has no YubiKey mapping, and YubiKey-login is enforced, the user has no way to log in!

I created a file /etc/pam.d/yubikey-passwd-auth:
# PAM configuration file for password+YubiKey authentication, if the user
# is in group yubikey-passwd-auth

# Skip the following rules if user is not in the specified group
auth    [success=2 default=ignore] pam_succeed_if.so    quiet  user notingroup yubikey-passwd-auth

# Perform YubiKey authentication and die if this fails
auth  requisite      pam_yubico.so    id=XX authfile=/etc/security/yubikey.map

# Check the password returned from the pam_yubico module, declare authentication done
# if this succeeds, die if it fails
auth  [success=done default=die]  pam_unix.so    use_first_pass

And, the following code must be added to a sevice file in /etc/pam.d/:
@include yubikey-passwd-auth

This code must be added just before the pam_unix.so call, or before the @include common-auth line (or similar).

You can go even further and configure your system so that:
  • Users in yubikey-passwd-auth authenticate with passwd+Yubikey
  • Users in yubikey-auth can authenticate with Yubikey, without password
  • Other users use only password

For this, the yubikey-auth file would look like this:
# PAM configuration file for YubiKey authentication, if the user is in group yubikey-auth

# Skip the following rule if user is not in the specified group
auth    [success=1 default=ignore] pam_succeed_if.so    quiet  user notingroup yubikey-auth

# Perform YubiKey authentication
auth  [success=done default=die]   pam_yubico.so    id=XX authfile=/etc/security/yubikey.map

How does this method look like? Are there any security considerations? Configuring two-factor authentication with PAM seems very elegant solution to me, as Yubico PAM module can be stacked with any other authentication module. There is also no need to modify the Yubico PAM module to support complex configurations.

- Mikko

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group