search

Yubico / yubico-pam

Yubico Pluggable Authentication Module (PAM)
https://developers.yubico.com/yubico-pam
BSD 2-Clause "Simplified" License
689 stars 114 forks source link

Pam configuration to login with yubikey, but only if present #240

Open rocketraman opened 2 years ago

rocketraman commented 2 years ago

I'm trying to configure my Fedora 35 system to accept logins via my yubikey, but only if it is plugged in. If it is not plugged in, then I would like to fall back to my regular password.

It doesn't look like the yubico-pam module has any type of option to skip the module if the yubikey is not plugged in.

My /etc/pam.d/sudo configuration looks like this:

auth       sufficient   pam_yubico.so id=1 authfile=/etc/yubikeys
auth       include      system-auth
...

and this mostly works. Though it doesn't skip the Yubikey prompt if the Yubikey is not plugged in, upon hitting enter it does move on to prompt for the usual password.

However my /etc/pam.d/kde configuration looks like this:

auth       sufficient   pam_yubico.so id=1 authfile=/etc/yubikeys
auth       substack     system-auth
auth       include      postlogin

and with this configuration only the yubikey is accepted. If the yubikey is not plugged in, then I am unable to login with my usual password at all. Adding nullok does not fix it.

rocketraman commented 2 years ago

Update, I've added the pam_yubico.so module in the included system-auth substack directly rather than in the calling configuration e.g. /etc/pam.d/kde or /etc/pam.d/sudo. Having done so, I see that this configuration works:

auth        required      pam_env.so
auth        sufficient    pam_unix.so try_first_pass nullok
auth        sufficient    pam_yubico.so id=1 authfile=/etc/yubikeys try_first_pass nullok
auth        required      pam_deny.so

however, reversing the order of the pam_unix.so and pam_yubico.so modules works for sudo but does not work for the KDE screen lock:

auth        required      pam_env.so
auth        sufficient    pam_yubico.so id=1 authfile=/etc/yubikeys try_first_pass nullok
auth        sufficient    pam_unix.so try_first_pass nullok
auth        required      pam_deny.so

I suspect it has something to do with how these modules deal with try_first_pass and/or nullok. With yubico first, if I try this with sudo I first am prompted for YubiKey, and then if not entering anything, or entering an invalid value at the Yubikey prompt, I get prompted again for the regular password:

$ sudo -i
YubiKey for `raman': <enter>
[sudo] password for raman: <regular password works>

but if I do it with unix first, I am only prompted once, and I can enter either my regular password or my Yubikey OTP:

$ sudo -i
[sudo] password for raman: <regular password works, OR yubikey OTP works>

The KDE lock screen is not handling the "re-prompt", whereas sudo is. I don't know enough about this to understand if there is an issue here (or where), but I don't think the order of these modules where both are sufficient should matter in general PAM terms, so it feels like a bug somewhere.