Yubico Forum
https://forum.yubico.com/

yubico-pam with several users with Yubikey AND no Yubikey
https://forum.yubico.com/viewtopic.php?f=3&t=494
Page 1 of 1

Author:  matrox [ Mon Mar 08, 2010 8:00 pm ]
Post subject:  yubico-pam with several users with Yubikey AND no Yubikey

Hello,

I've just installed yubico-pam as explained here : http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM
I used "User Level" and I wanted to know if this configuration should work only with users with Yubikey or also with others.
Because my user works fine, but others can not logon anymore.

Is it possible that both users can logon, independently of Yubikey ?

Thank you in advance for your help.

Author:  samir [ Wed Mar 10, 2010 10:23 am ]
Post subject:  Re: yubico-pam with several users with Yubikey AND no Yubikey

It is possible to provide YubiKey based two factor authentication for some users while normal username/password authentication for other users using the Yubico PAM module. However, for that you need to modify the Yubico PAM module.

When ever the Yubico PAM module gets any authentication request, it performs the following steps:

    1) It first parses the password to separate user's password from YubiKey OTP
    2) If password is less than 44 characters this indicates the OTP is absent in the password. Yubico PAM module then sends negative status to the underlying PAM modules
    3) If password is more than 44 characters Yubico PAM module separates the user's password and YubiKey OTP
    4) From the YubiKey OTP, the PAM module then separates the YubiKey ID
    5) It checks the username:YubiKey ID mapping in the file or in LDAP server (depending on configuration of the Yubico PAM module)
    6) If it finds a valid username:YubiKey ID mapping, it sends the OTP for validation otherwise it sends negative status to underlying PAM modules
    7) If OTP is validated correctly is sends positive status or sends negative status to underlying PAM module

You need to modify the Yubico PAM module so that it does not send negative status at step 2, instead it checks the username:YubiKeyID mapping stored in a file or in LDAP server. If the username is present in the mapping then proceed normally. If the username is not present in mapping, then direct send success status to the underlying PAM modules so that they can continue validating the user name and password. This way you can bypass the Yubico PAM modules for the users who do not have YubiKey.

We hope this helps!

Author:  matrox [ Thu Mar 11, 2010 10:50 am ]
Post subject:  Re: yubico-pam with several users with Yubikey AND no Yubikey

Hey Samir,

First I would like to thank you for your very good description.

Do you know if this patch exists ?
And why yubico-pam module doesn't include this request ? Because I'm pretty sure, I'm not the only one :)

Author:  samir [ Fri Mar 12, 2010 3:29 pm ]
Post subject:  Re: yubico-pam with several users with Yubikey AND no Yubikey

As of now there is no such patch available.

Implementing this functionality is on the future road map but not actively pursued due to other high priority projects.

Author:  Doc [ Tue May 04, 2010 6:46 pm ]
Post subject:  Re: yubico-pam with several users with Yubikey AND no Yubikey

This is relatively trivial to do using groups, with no changes to the source.

I simply have a group on the system called "yubikey" - anyone in that group will need to use their Password + Yubikey to login. Users not in that group only need to use their password (in my case, LDAP-based passwords). I only do this for sshd.

To do that I have the following in /etc/sshd :

Code:
auth    [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
auth required pam_yubico.so id=16 authfile=/etc/yubikeyid

auth    required      pam_ldap.so try_first_pass

# Standard Un*x authentication.
#@include common-auth


The first line tells PAM to skip the next line if the user is not in the group "yubikey".
The second line, which only gets used if the user IS in the yubikey group is a standard pam_yubico config.
The third line is a standard pam_ldap config - obviously if you're not using LDAP you'll need to modify this a bit.
The 4th (commented-out) line is what was in the file previously, and in my case had to be commented out to avoid it doing local auth. It also gives you an idea of where in a default config these lines have to go.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/