RFE: Support domain equivalence

[opoplawski]

On our systems users can login with either with their short name or their full domain name (domain\user or user@domain) because with make use of sssd's default_domain_suffix option. But this doesn't work with pam_yubico - the workaround is to list both:

user:...
domain\user:...

but this is a bit annoying. It would be nice to have a default domain option for pam_yubico that would strip the given domain(s) from usernames before looking them up.

[GrinGrin]

Hi,

I also use sssd on my servers and the current configuration allow both user@domain and domain\user but it also works while omiting completely the domain as just user.

To be able to match all possible use cases, I need 3 entries for each user:

user:...
user@domain:...
domain\user:...

The best option would be to search for \ or @ in the username received from PAM and strip the corresponding part to only keep the username for lookups.

Another issue is that the lookup is done case-sensitive and that also lead to mismatches if for example the username is user@DOMAIN, DOMAIN\user, User or any variation. Sometimes the username sent for the connection is automatically generated (by a script or app for example) and the user does not have control on the input provided.

In both cases, if you set the nullok keyword to only enforce the Yubikey usage if the token is configured in the authfile, like for protecting sensitive accounts only, you can just bypass the complete Yubico module !