Open helpdeskdan opened 6 years ago
ThomasHabets
commented
6 years ago What's the scenario you want to support, exactly? Order of checks, etc? E.g. I don't expect someone who doesn't have an OTP to have a password matching the pattern of password+otp, right?
helpdeskdan
commented
6 years ago No, you don't expect that, but it is what I would like though it may sound silly.
Quite simply: Support (password OR otp) instead of (password AND otp) This is possible with pam_unix, the change I propose would make it possible. Thank you for your reply.
akerl
commented
6 years ago Why would that be desirable? It seems like it would be a pretty serious detriment to the security of the system, since instead of ending up with two-factor auth for the system you'd end up with multiple parallel single-factor auth options for an attacker to pick between.
helpdeskdan
commented
6 years ago Indeed, without fail2ban or some other brute force protection, that could be worse. That said, my use case is not necessarily for system login nor my choice. Thank you for your consideration.
ThomasHabets
commented
6 years ago I guess I can theoretically see use cases. Maybe some people have the password, some have to use OTP, and it's something like a VPN software client that can't do custom prompts in keyboardinteractive.
Still, in those cases I'd probably want a list of users who should go one or the other way. And then just don't have GA config for the users who'll use password.
But if not that, can you not place GA last and use use_first_pass?
helpdeskdan
commented
6 years ago Please forgive my tardy response.
A good point but, alas, I can't do that. Consider: If a user is told to use pin, but that username also happens to exist in krb5, the krb5 server will see repeated failed logins and decide to lock the account! Hence, I am in a pickle as I require pin to be second. Thank you again for the consideration.
ThomasHabets
commented
6 years ago And what about pam_listfile.so? Do you have users that sometimes will use a PIN, sometimes a password? If not then pam_listfile.so. Or not have a config, like I said.
If these don't work: I may accept well-written pull requests for this feature, but don't expect it to be made on its own.
Very simply, it would be nice if there were a feature similar to forward_pass, but would forward the password unmodified. Example use case:
auth [success=2 default=ignore] pam_unix.so forward_pass auth [success=1 default=ignore] pam_krb5.so try_first_pass
This allows unix or Kerberos login. Same config with pam_google_authenticator.so will not work, perhaps because it is expecting to strip a pin. (Eventually works, but first password prompt will always fail if you are trying krb5)
Thank you your work on this project.