3

I'm trying to set up a linux development environment that is both secure and convenient, and after setting up passwordless login and 2-factor authenticated pam_u2f, I had the idea to create different user accounts with different authentication requirements.

in the configuration files located at /etc/pam.d/, authentication methods tend to be user/group agnostic, for example:

auth required pam_u2f.so  authfile=/etc/my_yubikeys cue

can you specify users or groups so that, for example an admin account or members of the group wheel requires 2 factors to login(password and something else), while other users require one?

Joshua Ferguson
  • 165
  • 1
  • 1
  • 7
  • How can you ask me a "special" authentication before you trust that I'm me (already authenticated)? – waltinator Mar 09 '21 at 16:18
  • authentication comes in 3 flavors, something you know (password) is only one of them. in the context of pam(_yubico/_u2f) has sort of support for something like this with options to not require it if a user doesn't have 2fa setup. – Joshua Ferguson Mar 09 '21 at 16:44
  • also while the above line has the `authfile` stored in a user agnostic location, most often yubikey (setups) have the authfile stored at user level(same with google authenticator), so pam already has the ability to check user level stuff before the user has been fully authenticated. – Joshua Ferguson Mar 09 '21 at 16:50
  • people already have passwordless setups where fido2 is the only authentication method(i did it yesterday when testing config settings), what I'm trying to do is have that as an option for unprivileged accounts, but require 2 methods for admin accounts, which would rely on pam having some way of being aware of users or groups, or accessing a root only file which is – Joshua Ferguson Mar 09 '21 at 16:54

1 Answers1

2

You can use the pam_succeed_if module to skip other PAM modules in the stack given certain user criteria. For example you could create a group noyubikey and add the following to your PAM configuration:

auth [success=1 default=ignore] pam_succeed_if.so quiet user ingroup noyubikey
auth required pam_u2f.so  authfile=/etc/my_yubikeys cue

Updated to answer your question:

could I use this to require a number of authentication methods, where any one of them are optional. sort of like "there are 3 possible authentication methods, but you need to use any 2 of them"

This should be possible with a a substack and custom controls. E.g. you could require a substack like this:

[success=ignore default=1] # first module
[success=done default=1] # second module if the first one succeeded
[success=ignore default=die] # second module, if the first one failed
[success=done default=die] # third module now has to succeed

Note: I am only showing the controls for clarity's sake.

You'd want to use a substack here because it isolates the done/die actions from the rest of your stack.

stefan0xC
  • 1,508
  • 10
  • 20
  • interesting, thanks for the link to the documentation. I'm not sure if this is possible, but could I use this to require a number of authentication methods, where any one of them are optional. sort of like "there are 3 possible authentication methods, but you need to use any 2 of them" – Joshua Ferguson Mar 11 '21 at 19:56
  • @JoshuaFerguson I've updated my answer. – stefan0xC Mar 11 '21 at 20:58