Yubico Forum https://forum.yubico.com/ |
|
Q: OpenSSH+PAM - ssh key sufficient, otherwise use pass+OTP https://forum.yubico.com/viewtopic.php?f=5&t=652 |
Page 1 of 1 |
Author: | TQM [ Thu Mar 24, 2011 4:54 pm ] |
Post subject: | Q: OpenSSH+PAM - ssh key sufficient, otherwise use pass+OTP |
Hi Wondering if maybe somebody has already done it and could share how it was done? I'm looking for setup where SSH allows login using ssh keys without using Yubikey but if user doesn't do key-auth then (s)he is asked for password+OTP. This is for situations where user sitting at his own workstation can ssh in without any issues but if he's on the road and connects from untrusted machine (doesn't have his ssh key with him), then OTP is required. Any ideas/advice welcome TQM |
Author: | TQM [ Thu Mar 24, 2011 11:53 pm ] |
Post subject: | Re: Q: OpenSSH+PAM - ssh key sufficient, otherwise use pass+ |
I think I've sorted it out - one thing I didn't realize was that SSH doesn't use PAM if you do key based auth... in default setup key auth is first, then interactive password prompt and that's exactly where PAM comes to play. As usual the answer is "RTFM and if you still don't get it, go RTFM even more" Now I'll try to do even more... add a backup (disconnected mode) to have three entry otpions: 1. SSH with key auth (works for both on/off-line systems) 2. SSH with password and OTP (for on-line systems, testing against Yubico cloud) 3. SSH with password and OTP (for off-line systems, using http://www.securixlive.com/yubipam) Chances that I'll be at the machine and won't have my ssh key are rather very very slim, but better be safe than sorry and setting it up looks like good fun Comments/ideas welcome! TQM |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |