[haiku-bugs] Re: [Haiku] #11828: Look into using one-time-passwords as secondary authentication method for baron

  • From: "Centinel" <trac@xxxxxxxxxxxx>
  • Date: Mon, 02 Mar 2015 02:21:47 -0000

#11828: Look into using one-time-passwords as secondary authentication method 
for
baron
-------------------------+----------------------------
   Reporter:  zooey      |      Owner:  haiku-sysadmin
       Type:  task       |     Status:  new
   Priority:  normal     |  Milestone:
  Component:  Sys-Admin  |    Version:
 Resolution:             |   Keywords:
 Blocked By:             |   Blocking:
Has a Patch:  0          |   Platform:  All
-------------------------+----------------------------

Comment (by Centinel):

 OK, I think I've got OTP + sudo figured out.

 By default, sudo in OpenSUSE requires you to enter the root user's
 password. I used visudo and commented out these two directives in order to
 restore traditional sudo behavior, where the user has to enter his own
 password:

 {{{
 # Defaults targetpw   # ask for the password of the target user i.e. root
 # ALL     ALL=(ALL) ALL   # WARNING! Only use this together with the
 'Defaults targetpw'!
 }}}

 If I didn't do that, then PAM would expect you to enter an OTP based on
 the root user's account.

 Next, I had to change the /etc/security/access-local.conf file that PAM
 references when determining whether or not to require an OTP. Here's what
 it originally said:

 {{{
 + : ALL : LOCAL
 - : (otpusers) : ALL
 + : ALL : ALL
 }}}

 The first line indicates that "local" users (for our purposes, everyone
 who is signed in over SSH) are not bound by OTP. That's why it didn't work
 when jprostko attempted to transplant my sshd PAM stack directives into
 the sudo PAM stack - you were already signed in, so it triggered the local
 user exemption.

 The second line requires OTP for accounts in the otpusers group.

 I deleted the local user exemption:

 {{{
 - : (otpusers) : ALL
 + : ALL : ALL
 }}}

 Now, 'otpusers' accounts are immediately bound by OTP, regardless of where
 they're logged in, and everyone else is exempt. Nice and simple.

 Here's my sudo PAM stack:

 {{{
 auth [success=1 default=ignore] pam_access.so accessfile=/etc/security
 /access-local.conf
 auth requisite pam_oath.so usersfile=/etc/users.oath window=30
 auth     include                    common-auth
 account  include                    common-account
 password include                    common-password
 session  include                    common-sessio
 }}}

 If you're not bound by OTP, you skip the second line; otherwise, you have
 to enter an OTP.

 I'll let jprostko verify this, but everything seems to be in order.

--
Ticket URL: <https://dev.haiku-os.org/ticket/11828#comment:21>
Haiku <https://dev.haiku-os.org>
Haiku - the operating system.

Other related posts:

  1. Home
  2. haiku-bugs
  3. Archive
  4. 03-2015