Cannot login with nullok using challenge-response? #119
Comments
MikeDacre
changed the title
|
The way nullok is implemented it is only valid in OTP mode. The challenge-response mode is overly simplified in regards of PAM return values, this should probably be fixed so nullok can be applied to both. |
|
OK, thanks. Is there a good way for me to allow a user without a yubikey to login with the current module, until someone (I don't trust myself to do it) has time to generalize it? Thanks! |
|
No, unfortunately the challenge response mode is a bit simplistic in it's error returns currently. If/when that is improved you can have different behaviour depending on what error you get back. |
|
Is there any plan to work on this in the future? I would switch to OTP but I just can't be locked out of my computer because of a lack of an internet connection. |
|
There's no immediate plans to work on this. However it is a quite small change, essentially going over the do_challenge_response() function (https://github.com/Yubico/yubico-pam/blob/master/pam_yubico.c#L450) and have it return more nuanced errors than PAM_AUTH_ERR, specifically for the case where get_user_challenge_file() fails. |
|
@MikeDacre I am not sure if it will suit your use case but you might want to look at my implementation of a CR PAM module. |
|
Since the change has been made and merged, can't this issue be closed? |
|
good suggestion. |
Using the latest master (installed just now on arch linux using the yubico-pam-git package, which pulls the current master), I am trying to use the new nullok option from #118. Here is my pam config (system-local-login, arch linux):
auth required pam_yubico.so nullok mode=challenge-response chalresp_path=/var/yubico debugLogin as a user with a yubikey works, but login as root without a yubikey config set results in the error
debug: pam_yubico.c:509 (do_challenge_response): Cannot open file /var/yubico/root-##### (No such file or directory).The text was updated successfully, but these errors were encountered: