Yubico Forum

Hello,

My first time trying to set this up, so please bear with me if these are simple questions.

We want to set up our system to require users that are logging in using two-factor with a YubiKey to our Linux servers.

Our only complication is that our servers are hosted by a hosting providor. As such, they would not have a YubiKey availble to them.

Can I somehow set up the requirement for using the YubiKey on a per user basis?

As an example, John Doe works for us, but Jim Smith works for the hosting company.

As such, user ID jdoe would need a YubiKey, but user ID jsmith would just login with an ID and password.

Is this possible?

Thanks,

JT

Hello,

Please provide us details on which applications/services on the hosted linux servers (e.g. ssh or ftp or a web application etc.?) that you would like to enable for selective two-factor authentication. Please try to include as many details on your environment as possible (e.g. OS version, applications/services and software used etc.) so we can suggest a best solution to meet your requirement.

Best regards,
Samir.

Most of our servers are Red Hat Enterprise 5 (64 bit) and we have one Red Hat 6 (Enterprise) server. All using local OS authentication. We want to use the two-factor for SSH connections, as that is where most administration occurs.

These servers run LAMP, R and RStudio.

Thanks,

Jeff

Hello Jeff,

Unfortunately you cannot do perform "discrete yubikey access" at the moment. You can remotely access your server and log in with a Yubikey, but you cannot enforce it only for some users. This might change in the near future but at the moment what you describe is not possible.

I hope this helps.
Tom.

_________________
-Tom

Hi Jeff,
I was wondering if any new effort has been put into this feature? We are in the process of evaluating a yubikey deployment for UNIX logins and we can not have specific accounts tied to OTP. They must be excluded (for example the root account). We require a way into the local system if the authentication server is down. I see that many other PAM auth modules have arguments for things like exclude_users, but this one does not seem to support one. Could you let us know where (if at all) this feature is on the roadmap?

Thanks,
-Steve

Wouldn't you just use the pam module pam_succeed_if.so? The Following taken from an online doc for pam_succeed_if.so:


Given that the type matches, only loads the othermodule rule if the UID is over 500. Adjust the number after default to skip several rules.

type [default=1 success=ignore] pam_succeed_if.so quiet uid > 500
type required othermodule.so arguments...e


So the type would be "auth"
instead of uid > 500 it would be "user ingroup nonyubi"
instead of othermodule.so it would be the yubi pam module entry.

then create a group called nonyubi and add all the users that you don't want yubikey to be enforced for.

All this does is not load the line following the pam_succeed_if.so if the test is true.

Will this not work?

(This can also be reversed with notingroup test)

Jim