Damien Miller
2022-Mar-09 00:28 UTC
Does a known security issue allow ssh login via system accounts?
On Mon, 7 Mar 2022, Blumenthal, Uri - 0553 - MITLL wrote:> > >That's a nice thing about pam_yubico with real Yubikeys: > > >they can be validated against the Yubico cloud API, > > >without any local secrets. > > > > Just to make sure I understand you correctly - a cloud > > service determines whether some access to your server > > is to be granted? > > A cloud service *authenticates* the user. It's the job of *other* > PAM modules and configuration to decide what to *authorize* this > authenticated identity for, including login.No, that is not the case. The module is a HOTP/TOTP implementation that is compatible with the Google Authenticator application, it does consult any cloud service for authentication. -d
Blumenthal, Uri - 0553 - MITLL
2022-Mar-09 00:54 UTC
Does a known security issue allow ssh login via system accounts?
> > A cloud service *authenticates* the user . . . > > No, that is not the case. The module is a HOTP/TOTP implementation that > is compatible with the Google Authenticator application, it does consult > any cloud service for authentication.I don't understand what you said. Does the cloud service authenticate the user, or does it not??? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5249 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20220309/10358b81/attachment.p7s>