This repository has been archived by the owner on Apr 6, 2021. It is now read-only.
Allow expansion of PAM environment variables in secret file name #108
Labels
Comments
ThomasHabets
added
Type-Defect
Priority-Medium
libpam
Type-Enhancement
and removed
Type-Defect
labels
|
Comment #1 originally posted by dwmw2b on 2011-09-26T22:57:42.000Z: <empty> |
|
Comment #2 originally posted by markus@google.com on 2011-12-15T08:53:45.000Z: <empty> |
|
This issue was moved to google/google-authenticator-libpam#41 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Original issue 108 created by dwmw2b on 2011-09-26T22:55:27.000Z:
We want to use a system like gitolite with dual-factor authentication using SSH pubkey followed by google-authenticator. This runs everything as a single local UNIX user, and the individual gitolite users have different SSH keys installed, each of which is configured to run a specific gitolite command line which indicates which user to operate as.
Thus, rather than giving all the users a single GA key, we want to be able to use a secret file which depend on the public key that was used.
We achieve this with two relatively simple patches. The first (which I mention for reference) is in OpenSSH, to make it set a PAM environment variable indicating which public key was used to authenticate:
https://bugzilla.mindrot.org/show_bug.cgi?id=983#c43
The google-authenticator patch is relatively simple too. It simply extends the existing expansion of ${HOME}and ${USER} so that it can handle ${PAM:xxxxx} to expand arbitrary PAM variables too.
I can now use it like this:
auth sufficient pam_google_authenticator.so no-drop-privs secret=/etc/google-authenticator/${USER}${PAM:SSH_PUBKEY}
The text was updated successfully, but these errors were encountered: