Skip to content
/ pam_tfa Public

Pluggable Authentication Module library for Two Factor Authentication

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

apconole/pam_tfa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits

m4

m4

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

AUTHORS

AUTHORS

 
 

COPYING

COPYING

 
 

Makefile.am

Makefile.am

 
 

NEWS

NEWS

 
 

README.md

README.md

 
 

TODO

TODO

 
 

configure.ac

configure.ac

 
 

default_config

default_config

 
 

pam_tfa.c

pam_tfa.c

 
 

run_if_travis.sh

run_if_travis.sh

 
 

run_test.sh

run_test.sh

 
 

testdlopen.c

testdlopen.c

 
 

testpam.c

testpam.c

 
 

testtfa

testtfa

 
 

util.c

util.c

 
 

util.h

util.h

 
 

Repository files navigation

#Two Factor PAM Account library

Build Status Coverage Status

The Two Factor PAM Account library aims to provide a simple mechanism by which we can implement two-factor login privileges by plugging into the PAM stack. This module should work for any specific PAM-aware application, but the primary target is the SSH daemon.

In order to work with the SSH Daemon, there are two considerations:

  1. Systems where users authenticate with passwords.
  2. Systems where users authenticate with keys.

The way I've chosen to handle this is by treating the 'challenge-response' phase as an account OR auth management function. IE: By successfully passing the 'auth' stack, you prove you know the authentication token and we can either stay in 'auth' land to do the challenge response or use 'account' as a means by which we say "you can be on this system."

This also lets us get around '2' above - according to the OpenSSH manual, pubkey authentication bypasses the 'auth' stack in pam, but ONLY the 'auth' stack.

The Authentication Part

Authentication is done on a per-user basis. It is either opt-in OR system mandated. In either case, the two-factor information is stored in a 600 mask file "~/.tfa_config" and consists of the smtp email by which the user will be contacted.

example config

This is the destination email (ex: i use my cell number @vtext.com for a text message)

email=someEmail@foo.com

This is the 'from' address. it could be the same as 'email' above

from=myProviderEmail@target.com

This sets the server address

server=foo.com

This is the server port. Common ports are 25, 2525, and 587 - see your mail provider details. NOTE: for good reason, we ONLY do TLS mail

port=587

Your mail username

username=myuser

Your mail password

password=pass

Fail option (deny means block if we fail to send, pass means allow anyway)

fail=deny

Configuring

To use pam_tfa, set up either an account stack or auth stack as follows:

  • After the pam_permit.so line, add the following.

{accout/auth} required pam_tfa.so

Add the debug keyword for additional logs in your AUTHPRIV logs, and add noopt to disallow users from opting in (ie: users MUST have a valid $HOME/.tfa_config file).

Additionally, to use SSH as well, you'll need to edit the SSHD config and set /ChallengeResponseAuthentication/ flag to yes.

About

Pluggable Authentication Module library for Two Factor Authentication

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages