Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam_u2f: also require first factor? #29172

Closed
shosti opened this issue Sep 10, 2017 · 2 comments
Closed

pam_u2f: also require first factor? #29172

shosti opened this issue Sep 10, 2017 · 2 comments
Labels
0.kind: bug Something is broken 1.severity: security Issues which raise a security issue, or PRs that fix one

Comments

@shosti
Copy link
Contributor

shosti commented Sep 10, 2017

pam_u2f is currently always configured as being "sufficient", so no password is necessary if U2F authentication succeeds. It would be nice if it were optionally "requisite" instead (similarly to #22724 for OATH), since U2F is designed for second-factor auth after all.
@fpletz fpletz added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Oct 2, 2017
@fpletz fpletz added this to the 17.09 milestone Oct 2, 2017
@fpletz fpletz added the 0.kind: bug Something is broken label Oct 2, 2017
@vlaci
Copy link
Contributor

vlaci commented Mar 18, 2018
edited
Loading

I've written a module to override the default behavior:
https://gist.github.com/vlaci/80bebce47a8ac6770035d362b3d004e0

I've used to hardcode PAM configuration to overcome this limitation but it was really brittle because every time the list of installed services changed I had to remember to look into the generated service file and copy-paste the modified version back to configuration.nix.

The module works via extending the default PAM service configuration with a hook which replaces the default rule corresponding to pam_u2f.so in the service's text attribute. This way the configuration remain customizable via the security.pam module.

@matthewbauer matthewbauer modified the milestones: 17.09, 18.09 Apr 17, 2018
@matthewbauer matthewbauer modified the milestones: 18.09, 19.03 Nov 5, 2018
@lheckemann lheckemann removed this from the 19.03 milestone Apr 1, 2019
@benley
Copy link
Member

benley commented Oct 8, 2020

It looks like this is configurable now, with:

{
  security.pam.u2f.control = "required";
}

@benley benley closed this as completed Oct 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug Something is broken 1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@matthewbauer @fpletz @lheckemann @shosti @benley @vlaci