search

Yubico / yubico-pam

Yubico Pluggable Authentication Module (PAM)
https://developers.yubico.com/yubico-pam
BSD 2-Clause "Simplified" License
692 stars 117 forks source link

Does PAM modules really require root? #90

Open JensRantil opened 8 years ago

JensRantil commented 8 years ago

These two pages claim that root user privileges is required to authenticate against PAM:

Are you really sure this is required? AFAIK, the process must have read access to:

  1. The Yubikey mapping file.
  2. /etc/shadow for unix authentication. On Ubuntu this involves assigning the shadow group to the process's user.

I just provisioned a non-root process (not FreeRadius) to authenticate with Yubikey and it worked fine as long as I fixed the above privileges.

klali commented 8 years ago

This documentation is quite old and might have errors. If you've gone through this recently we'd be very happy to merge pull requests making the documentation better (the pages at developers.yubico.com are autogenerated from the doc folder of this repo).

JensRantil commented 8 years ago

Unfortunately, I am rather busy with other things. At least now you know that the documents aren't following best-practises when it comes to FreeRadius configuration.