New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot login with nullok using challenge-response? #119
Comments
The way nullok is implemented it is only valid in OTP mode. The challenge-response mode is overly simplified in regards of PAM return values, this should probably be fixed so nullok can be applied to both. |
OK, thanks. Is there a good way for me to allow a user without a yubikey to login with the current module, until someone (I don't trust myself to do it) has time to generalize it? Thanks! |
No, unfortunately the challenge response mode is a bit simplistic in it's error returns currently. If/when that is improved you can have different behaviour depending on what error you get back. |
Is there any plan to work on this in the future? I would switch to OTP but I just can't be locked out of my computer because of a lack of an internet connection. |
There's no immediate plans to work on this. However it is a quite small change, essentially going over the do_challenge_response() function (https://github.com/Yubico/yubico-pam/blob/master/pam_yubico.c#L450) and have it return more nuanced errors than PAM_AUTH_ERR, specifically for the case where get_user_challenge_file() fails. |
@MikeDacre I am not sure if it will suit your use case but you might want to look at my implementation of a CR PAM module. |
Since the change has been made and merged, can't this issue be closed? |
good suggestion. |
Using the latest master (installed just now on arch linux using the yubico-pam-git package, which pulls the current master), I am trying to use the new nullok option from #118. Here is my pam config (system-local-login, arch linux):
auth required pam_yubico.so nullok mode=challenge-response chalresp_path=/var/yubico debug
Login as a user with a yubikey works, but login as root without a yubikey config set results in the error
debug: pam_yubico.c:509 (do_challenge_response): Cannot open file /var/yubico/root-##### (No such file or directory)
.The text was updated successfully, but these errors were encountered: