Hi I am looking to have PAM call a script after a successful 2F authentication. My impression is that it is not going to be possible. I even have got a question open on StackExchange about it [1] Any ideas? [1] https://unix.stackexchange.com/questions/586243/callback-when-logged-on-via-...
On 2020-05-13T12:39:50 +0100, Andy Pieters wrote:
Should be doable, skip to pam_exec.so with `success=${num lines to skip}` man 8 pam_exec auth sufficient pam_unix.so auth [success=1 default=ignore] foo_2fa.so some_other=options auth requisite pam_deny.so auth optional pam_exec.so debug /path/to/my/script.sh I didn't test the above so you'll probably have to tweak it as well as make sure its secure. Matt Pallissard
On Wed, 13 May 2020 at 14:53, Matt Pallissard <matt@pallissard.net> wrote:
On 2020-05-13T12:39:50 +0100, Andy Pieters wrote:
Should be doable, skip to pam_exec.so with `success=${num lines to skip}`
So
Does that mean then that the auth_optional line is only *ever* triggered by a success on the 2fa line? No other way for PAM to execute it?
Hi Matt On Wed, 13 May 2020 at 15:01, Andy Pieters <arch-general@andypieters.me.uk> wrote:
Something appears to be wrong with that. As soon as I add [success=n] logins start failing with PAM unable to dlopen(/usr/lib/security/required): /usr/lib/security/required: cannot open shared object file: No such file or directory and PAM adding faulty module: /usr/lib/security/required Looking through the man pages of pam_yubico and comparing it with those of pam_deny and pam_succeed_if it seems that pam_yubico does not support the passing of [success=, default=] conditions...
On 2020-05-13T22:26:16 +0100, Andy Pieters wrote:
/usr/lib/security/required doesn't look like a valid module. I'd imagine that there is a missing bracket or something in your config file. Also, If reading `man pam.conf` is anything to go by, the success behavior handled by pam itself. The module in question should have nothing to do with it. As an aside, this works for me with pam_krb.so. Matt Pallissard
participants (2)
-
Andy Pieters
-
Matt Pallissard