LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-16-2010, 01:13 AM   #1
Akdor 1154
LQ Newbie
 
Registered: Mar 2008
Distribution: Xubuntu, Sidux, Debian
Posts: 10

Rep: Reputation: 0
Unhappy Use different PAM modules depending on local/remote access


Hi,

I'm using a fingerprint reader on my laptop, works pretty well:
Code:
$sudo echo hi
Please swipe your finger:
[swipe finger here of course]

hi
This is accomplished using pam_fprint, and
Code:
auth    sufficient                      pam_fprint.so
in /etc/pam.d/auth-common.

Like I said, it works nicely... until I try to SSH in and sudo something remotely, when it will ask me kindly to swipe my finger over the reader that's attached to the laptop which is on my desk at home thirty kilometres away. Naturally there's no method built into pam_fprint to abort via a keypress.

So, is there any way to tell PAM to only use certain modules if I'm in a locally logged in session?

Thanks kindly,
Jarrad
 
Old 03-16-2010, 02:41 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Create a copy of auth-common under another name, without the pam_fprint.so line and use it instead of auth-common in your /etc/pam.d/sshd file.

Another option would be to use pubkey authentication instead. Look at the commented instructions in the /etc/ssh/sshd_config file above the "UsePAM yes" line.
 
Old 03-16-2010, 03:13 AM   #3
Akdor 1154
LQ Newbie
 
Registered: Mar 2008
Distribution: Xubuntu, Sidux, Debian
Posts: 10

Original Poster
Rep: Reputation: 0
No, pam_fprint is already hard coded to pass if it's being used by sshd, so I can log in. The problem comes about when I'm trying to su or sudo INSIDE an ssh session, as these don't (and shouldn't) check whether they're being used remotely or locally; they just go with whatever PAM tells them to as far as I can see.

EDIT:
Thanks for the reply though, it was a good thought.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot access `/usr/local/apache2/modules/libphp5.so' gravesb Linux - Software 13 12-02-2011 02:56 AM
How to mount NFS/local partitions on RedHat cluster depending on node type? Myroslav Linux - Enterprise 0 01-05-2010 12:12 PM
Help with PAM and PAM modules bourne Linux - Security 6 11-02-2008 11:48 PM
iptables: local proFTPd server and remote FTP servers access jordib Linux - Networking 2 05-04-2008 02:46 PM
[SOLVED] Disable remote root access but allow local root access-- possible? bskrakes Linux - Security 3 03-03-2008 12:15 PM


All times are GMT -5. The time now is 04:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration