Comments (6)
We are happy to review this if someone prepare a pull request for it.
from yubico-pam.
Was this ever corrected? So far I can only utilize the forced authentication against a single user and I'd like to allow my local admin accounts access without the need for authentication
from yubico-pam.
I just obtained my first YubiKey and have started playing with it. I found the pam module lacking a bit, primarily when using OpenPAM. On linux, I'm able to use an extended syntax in PAM to allow members of a specific group to require a Yubikey with [succeed=1 default=ignore] pam_success_if.so quiet user notingroup yubikey . However, OpenPAM does not allow this extended syntax, so while this worked well on my Linux implementations? It isn't going to cut it for my mac server.
I've just grabbed the source for yubico_pam and am going to add an external configuration file (/etc/yubico_pam.conf) to allow group-based authorization configuration and group specification. If the group authentication in the config file is set to on and the user is not in the group, I'll simply return a PAM_SUCCESS and skip over everything.
Can anyone think of any issues with this? And if it works, is this something anyone might be interested in?
from yubico-pam.
My fork of this PAM module now supports an authgroup= PAM module parameter that allows you to specify a group to check for their yubikey. If a user that authenticates is NOT in the group specified in authgroup=, a key will not be required. This is only for the challenge-response mode at this time. I've submitted a pull request, but my editor changed the indentation of the code so it's a little bleh in terms of the file changes. The changes will be seen in util.c (CheckGroup function), util.h (declaration of CheckGroup and a few new includes) and pam_yubico.c at the beginning of the do_challenge_response function, as well as the one addition of a const char *groupauth" in the cfg structure.
Cheers.
Jon
from yubico-pam.
@JonnyWhatshisface submitted PR #74 but the process looks to have stalled back at the end of August
from yubico-pam.
Hey - my apologies for the stalling. I recently moved out of the US and I'm sure you can imagine I've been swamped.
I'm going to get this done within the next couple of days and resubmitted. I've actually began quite a nifty addition that will later be submitted as well. The ability to contact a remote daemon to perform the lookup of the challenge response, making a way to centralize the storage of the secrets to deploy in larger infrastructures.
First thing is first, however - I'll get the modifications done to this patch and resubmit in the next couple of days. :)
from yubico-pam.
Related Issues (20)
- Trying to authenticate with password + partial key submits partial password
- Not truly open-source HOT 2
- Error performing curl for OTP validation w/ Yubico Cloud HOT 13
- Can I use NFC? HOT 2
- fnbl
- Abnormal time delay on pam_yubico on CentOS 7 HOT 2
- Add mysql support fort the yubikey_mapping HOT 1
- RFC4515 not implemented HOT 4
- Problem parsing OTP??
- Inconsistent quotes around username
- OpenVPN + LDAP + Yubico HOT 4
- Mysql close connection after return HOT 1
- [question] yubikey bio series support HOT 3
- RFE: Support domain equivalence HOT 1
- Auth timeouts after key press
- Pam configuration to login with yubikey, but only if present HOT 1
- Multiple keys per user HOT 2
- `libykclient` repository is archived
- ykpamcfg uses bare minimum (weak?) PBKDF2 iteration count
- Yubikey fails to unlock cinnamon screensaver -fix
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubico-pam.