Blumenthal, Uri - 0553 - MITLL
2022-Mar-09 01:19 UTC
Does a known security issue allow ssh login via system accounts?
> > I don't understand what you said. Does the cloud service authenticate the user, or does it not??? > > err, missed a word - it does notIn that case, what about this.>From https://developers.yubico.com/yubico-pam/, description of the PAM module parameters:mode: Mode of operation. Use "client" for online validation with a YubiKey validation service such as the YubiCloud, or use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220309/7c654b7b/attachment.p7s>
Damien Miller
2022-Mar-09 01:39 UTC
Does a known security issue allow ssh login via system accounts?
On Wed, 9 Mar 2022, Blumenthal, Uri - 0553 - MITLL wrote:> > > I don't understand what you said. Does the cloud service > >authenticate the user, or does it not??? > > > > err, missed a word - it does not > > In that case, what about this. > > From https://developers.yubico.com/yubico-pam/, description of the PAM > module parameters: > > mode: Mode of operation. Use "client" for online validation > with a YubiKey validation service such as the YubiCloud, or use > "challenge-response" for offline validation using YubiKeys with > HMAC-SHA-1 Challenge-Response configurations. See the man-page > ykpamcfg(1) for further details on how to configure offline > Challenge-Response validation.I assumed we were talking about the PAM module that apparently created the situation that started this thread, i.e. https://github.com/google/google-authenticator-libpam and not the Yubico one. -d