4

I'm trying to set up a linux development environment that is both secure and convenient, and after setting up passwordless login and 2-factor authenticated pam_u2f, I had the idea to create different user accounts with different authentication requirements.

in the configuration files located at /etc/pam.d/, authentication methods tend to be user/group agnostic, for example:

auth required pam_u2f.so  authfile=/etc/my_yubikeys cue

can you specify users or groups so that, for example an admin account or members of the group wheel requires 2 factors to login(password and something else), while other users require one?

Improve this question
4
  • How can you ask me a "special" authentication before you trust that I'm me (already authenticated)? Commented Mar 9, 2021 at 16:18
  • authentication comes in 3 flavors, something you know (password) is only one of them. in the context of pam(_yubico/_u2f) has sort of support for something like this with options to not require it if a user doesn't have 2fa setup. Commented Mar 9, 2021 at 16:44
  • also while the above line has the authfile stored in a user agnostic location, most often yubikey (setups) have the authfile stored at user level(same with google authenticator), so pam already has the ability to check user level stuff before the user has been fully authenticated. Commented Mar 9, 2021 at 16:50
  • people already have passwordless setups where fido2 is the only authentication method(i did it yesterday when testing config settings), what I'm trying to do is have that as an option for unprivileged accounts, but require 2 methods for admin accounts, which would rely on pam having some way of being aware of users or groups, or accessing a root only file which is Commented Mar 9, 2021 at 16:54

1 Answer 1

Reset to default
3

You can use the pam_succeed_if module to skip other PAM modules in the stack given certain user criteria. For example you could create a group noyubikey and add the following to your PAM configuration:

auth [success=1 default=ignore] pam_succeed_if.so quiet user ingroup noyubikey
auth required pam_u2f.so  authfile=/etc/my_yubikeys cue

Updated to answer your question:

could I use this to require a number of authentication methods, where any one of them are optional. sort of like "there are 3 possible authentication methods, but you need to use any 2 of them"

This should be possible with a a substack and custom controls. E.g. you could require a substack like this:

[success=ignore default=1] # first module
[success=done default=1] # second module if the first one succeeded
[success=ignore default=die] # second module, if the first one failed
[success=done default=die] # third module now has to succeed

Note: I am only showing the controls for clarity's sake.

You'd want to use a substack here because it isolates the done/die actions from the rest of your stack.

Improve this answer
2
  • interesting, thanks for the link to the documentation. I'm not sure if this is possible, but could I use this to require a number of authentication methods, where any one of them are optional. sort of like "there are 3 possible authentication methods, but you need to use any 2 of them" Commented Mar 11, 2021 at 19:56
  • @JoshuaFerguson I've updated my answer. Commented Mar 11, 2021 at 20:58

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.