Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:28 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Mon Mar 08, 2010 8:00 pm 
Offline

Joined: Mon Mar 08, 2010 7:29 pm
Posts: 3
Hello,

I've just installed yubico-pam as explained here : http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM
I used "User Level" and I wanted to know if this configuration should work only with users with Yubikey or also with others.
Because my user works fine, but others can not logon anymore.

Is it possible that both users can logon, independently of Yubikey ?

Thank you in advance for your help.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Mar 10, 2010 10:23 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
It is possible to provide YubiKey based two factor authentication for some users while normal username/password authentication for other users using the Yubico PAM module. However, for that you need to modify the Yubico PAM module.

When ever the Yubico PAM module gets any authentication request, it performs the following steps:

    1) It first parses the password to separate user's password from YubiKey OTP
    2) If password is less than 44 characters this indicates the OTP is absent in the password. Yubico PAM module then sends negative status to the underlying PAM modules
    3) If password is more than 44 characters Yubico PAM module separates the user's password and YubiKey OTP
    4) From the YubiKey OTP, the PAM module then separates the YubiKey ID
    5) It checks the username:YubiKey ID mapping in the file or in LDAP server (depending on configuration of the Yubico PAM module)
    6) If it finds a valid username:YubiKey ID mapping, it sends the OTP for validation otherwise it sends negative status to underlying PAM modules
    7) If OTP is validated correctly is sends positive status or sends negative status to underlying PAM module

You need to modify the Yubico PAM module so that it does not send negative status at step 2, instead it checks the username:YubiKeyID mapping stored in a file or in LDAP server. If the username is present in the mapping then proceed normally. If the username is not present in mapping, then direct send success status to the underlying PAM modules so that they can continue validating the user name and password. This way you can bypass the Yubico PAM modules for the users who do not have YubiKey.

We hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Thu Mar 11, 2010 10:50 am 
Offline

Joined: Mon Mar 08, 2010 7:29 pm
Posts: 3
Hey Samir,

First I would like to thank you for your very good description.

Do you know if this patch exists ?
And why yubico-pam module doesn't include this request ? Because I'm pretty sure, I'm not the only one :)


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 12, 2010 3:29 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
As of now there is no such patch available.

Implementing this functionality is on the future road map but not actively pursued due to other high priority projects.


Top
 Profile  
Reply with quote  
PostPosted: Tue May 04, 2010 6:46 pm 
Offline

Joined: Fri Jan 15, 2010 5:50 pm
Posts: 8
This is relatively trivial to do using groups, with no changes to the source.

I simply have a group on the system called "yubikey" - anyone in that group will need to use their Password + Yubikey to login. Users not in that group only need to use their password (in my case, LDAP-based passwords). I only do this for sshd.

To do that I have the following in /etc/sshd :

Code:
auth    [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
auth required pam_yubico.so id=16 authfile=/etc/yubikeyid

auth    required      pam_ldap.so try_first_pass

# Standard Un*x authentication.
#@include common-auth


The first line tells PAM to skip the next line if the user is not in the group "yubikey".
The second line, which only gets used if the user IS in the yubikey group is a standard pam_yubico config.
The third line is a standard pam_ldap config - obviously if you're not using LDAP you'll need to modify this a bit.
The 4th (commented-out) line is what was in the file previously, and in my case had to be commented out to avoid it doing local auth. It also gives you an idea of where in a default config these lines have to go.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group