Does a known security issue allow ssh login via system accounts?
Damien Miller
djm at mindrot.org
Wed Mar 9 11:28:55 AEDT 2022
On Mon, 7 Mar 2022, Blumenthal, Uri - 0553 - MITLL wrote:
> > >That's a nice thing about pam_yubico with real Yubikeys:
> > >they can be validated against the Yubico cloud API,
> > >without any local secrets.
> >
> > Just to make sure I understand you correctly - a cloud
> > service determines whether some access to your server
> > is to be granted?
>
> A cloud service *authenticates* the user. It's the job of *other*
> PAM modules and configuration to decide what to *authorize* this
> authenticated identity for, including login.
No, that is not the case. The module is a HOTP/TOTP implementation that
is compatible with the Google Authenticator application, it does consult
any cloud service for authentication.
-d
More information about the openssh-unix-dev
mailing list