Yubico Forum https://forum.yubico.com/ |
|
using pam module for SSH auth without requiring passwd https://forum.yubico.com/viewtopic.php?f=3&t=351 |
Page 1 of 1 |
Author: | pl4yer0ne [ Wed Jul 08, 2009 8:53 am ] |
Post subject: | using pam module for SSH auth without requiring passwd |
Hi all, So the pam module works really well, got the authorised keys stuff all working as well. What I am trying to do though is allow ssh access via yubikey without a password OR via password without the yubikey. Is there any way to get that happening? I was thinking of having an option to either require 2 factor or not possibly per user/per module. The idea is to allow some users to login via shh or use sudo and similar via a yubikey while allowing other users to use passwords and PKI as normal. Any help appreciated. P1 |
Author: | network-marvels [ Thu Jul 09, 2009 8:55 am ] |
Post subject: | Re: using pam module for SSH auth without requiring passwd |
The current Yubico PAM module is designed to support two factor authentication. Using the current PAM module it will not be possible to provide just YubiKey based one factor authentication (Username + YubiKey OTP) for some users and password based authentication for other users (Username + Password). However, using the current PAM module some users can be provided with YubiKey based two factor authentication (Username + Password + YubiKey OTP) and other users with password based authentication (Username + Password). Providing such a functionality would require some modifications in the current Yubico PAM module. |
Author: | msvilp [ Wed Aug 26, 2009 7:25 am ] |
Post subject: | Re: using pam module for SSH auth without requiring passwd |
It is possible to configure PAM so that users can log in with YubiKey or password. Those users who don't have a YubiKey (specified in mapping file), can log in only with password. I have done this with following auth-rules: Code: auth sufficient pam_yubico.so (arguments...) auth required pam_unix.so (arguments...) If sufficient-control returns OK, no further auth-rules are checked, so make sure that there are no more auth-lines after these. PAM seems to be quite versatile, and different kind of modules can be stacked together to achieve desired behaviour. There is, for example, pam_lockout -module, that returns fail for specified user or group. More complex alternative could be pam_listfile, which is included in most distributions already. Using the substack-control in PAM configuration, it might be possible to do the following (or just about anything similar):
I will do some tests with these kind of configurations. If you are intrested, check the PAM documantation in http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html, and tell if you come up with a working solution. |
Author: | msvilp [ Mon Aug 31, 2009 3:07 pm ] |
Post subject: | Re: using pam module for SSH auth without requiring passwd |
Hello again, I have now tested different configurations, and it is actually quite easy to require password+YubiKey for some users and just passwd for others. All this is accomplished with pam_succeed_if.so module along with some specific control values for PAM. First, create group yubikey-passwd-auth. Also, have the YubiKey mapping file ready (mine is in etc/security/yubikey.map). Beware, if the user has no YubiKey mapping, and YubiKey-login is enforced, the user has no way to log in! I created a file /etc/pam.d/yubikey-passwd-auth: Code: # PAM configuration file for password+YubiKey authentication, if the user # is in group yubikey-passwd-auth # Skip the following rules if user is not in the specified group auth [success=2 default=ignore] pam_succeed_if.so quiet user notingroup yubikey-passwd-auth # Perform YubiKey authentication and die if this fails auth requisite pam_yubico.so id=XX authfile=/etc/security/yubikey.map # Check the password returned from the pam_yubico module, declare authentication done # if this succeeds, die if it fails auth [success=done default=die] pam_unix.so use_first_pass And, the following code must be added to a sevice file in /etc/pam.d/: Code: @include yubikey-passwd-auth This code must be added just before the pam_unix.so call, or before the @include common-auth line (or similar). You can go even further and configure your system so that:
For this, the yubikey-auth file would look like this: Code: # PAM configuration file for YubiKey authentication, if the user is in group yubikey-auth # Skip the following rule if user is not in the specified group auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey-auth # Perform YubiKey authentication auth [success=done default=die] pam_yubico.so id=XX authfile=/etc/security/yubikey.map How does this method look like? Are there any security considerations? Configuring two-factor authentication with PAM seems very elegant solution to me, as Yubico PAM module can be stacked with any other authentication module. There is also no need to modify the Yubico PAM module to support complex configurations. - Mikko |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |