Add possibility to exclude a user #20
Comments
|
We are happy to review this if someone prepare a pull request for it. |
|
Was this ever corrected? So far I can only utilize the forced authentication against a single user and I'd like to allow my local admin accounts access without the need for authentication |
|
I just obtained my first YubiKey and have started playing with it. I found the pam module lacking a bit, primarily when using OpenPAM. On linux, I'm able to use an extended syntax in PAM to allow members of a specific group to require a Yubikey with [succeed=1 default=ignore] pam_success_if.so quiet user notingroup yubikey . However, OpenPAM does not allow this extended syntax, so while this worked well on my Linux implementations? It isn't going to cut it for my mac server. I've just grabbed the source for yubico_pam and am going to add an external configuration file (/etc/yubico_pam.conf) to allow group-based authorization configuration and group specification. If the group authentication in the config file is set to on and the user is not in the group, I'll simply return a PAM_SUCCESS and skip over everything. Can anyone think of any issues with this? And if it works, is this something anyone might be interested in? |
|
My fork of this PAM module now supports an authgroup= PAM module parameter that allows you to specify a group to check for their yubikey. If a user that authenticates is NOT in the group specified in authgroup=, a key will not be required. This is only for the challenge-response mode at this time. I've submitted a pull request, but my editor changed the indentation of the code so it's a little bleh in terms of the file changes. The changes will be seen in util.c (CheckGroup function), util.h (declaration of CheckGroup and a few new includes) and pam_yubico.c at the beginning of the do_challenge_response function, as well as the one addition of a const char *groupauth" in the cfg structure. Cheers. Jon |
|
@JonnyWhatshisface submitted PR #74 but the process looks to have stalled back at the end of August |
|
Hey - my apologies for the stalling. I recently moved out of the US and I'm sure you can imagine I've been swamped. I'm going to get this done within the next couple of days and resubmitted. I've actually began quite a nifty addition that will later be submitted as well. The ability to contact a remote daemon to perform the lookup of the challenge response, making a way to centralize the storage of the secrets to deploy in larger infrastructures. First thing is first, however - I'll get the modifications done to this patch and resubmit in the next couple of days. :) |
original issues:
http://code.google.com/p/yubico-pam/issues/detail?id=34
http://code.google.com/p/yubico-pam/issues/detail?id=50
It's not possible to exclude/opt-out from pam_yubico
The text was updated successfully, but these errors were encountered: