Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pam configuration to login with yubikey, but only if present #240

Open
rocketraman opened this issue Apr 24, 2022 · 1 comment
Open

Pam configuration to login with yubikey, but only if present #240

rocketraman opened this issue Apr 24, 2022 · 1 comment

Comments

@rocketraman
Copy link

I'm trying to configure my Fedora 35 system to accept logins via my yubikey, but only if it is plugged in. If it is not plugged in, then I would like to fall back to my regular password.

It doesn't look like the yubico-pam module has any type of option to skip the module if the yubikey is not plugged in.

My /etc/pam.d/sudo configuration looks like this:

auth       sufficient   pam_yubico.so id=1 authfile=/etc/yubikeys
auth       include      system-auth
...

and this mostly works. Though it doesn't skip the Yubikey prompt if the Yubikey is not plugged in, upon hitting enter it does move on to prompt for the usual password.

However my /etc/pam.d/kde configuration looks like this:

auth       sufficient   pam_yubico.so id=1 authfile=/etc/yubikeys
auth       substack     system-auth
auth       include      postlogin

and with this configuration only the yubikey is accepted. If the yubikey is not plugged in, then I am unable to login with my usual password at all. Adding nullok does not fix it.
@rocketraman
Copy link
Author

rocketraman commented Apr 25, 2022
edited
Loading

Update, I've added the pam_yubico.so module in the included system-auth substack directly rather than in the calling configuration e.g. /etc/pam.d/kde or /etc/pam.d/sudo. Having done so, I see that this configuration works:

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        sufficient    pam_yubico.so id=1 authfile=/etc/yubikeys try_first_pass nullok
auth        required      pam_deny.so

however, reversing the order of the pam_unix.so and pam_yubico.so modules works for sudo but does not work for the KDE screen lock:

auth        required      pam_env.so
auth        sufficient    pam_yubico.so id=1 authfile=/etc/yubikeys try_first_pass nullok
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so

I suspect it has something to do with how these modules deal with try_first_pass and/or nullok. With yubico first, if I try this with sudo I first am prompted for YubiKey, and then if not entering anything, or entering an invalid value at the Yubikey prompt, I get prompted again for the regular password:

$ sudo -i
YubiKey for `raman': <enter>
[sudo] password for raman: <regular password works>

but if I do it with unix first, I am only prompted once, and I can enter either my regular password or my Yubikey OTP:

$ sudo -i
[sudo] password for raman: <regular password works, OR yubikey OTP works>

The KDE lock screen is not handling the "re-prompt", whereas sudo is. I don't know enough about this to understand if there is an issue here (or where), but I don't think the order of these modules where both are sufficient should matter in general PAM terms, so it feels like a bug somewhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rocketraman and others