Mailing List Archive

On Mon, 7 Mar 2022, Whit Blauvelt wrote:

> On Tue, 03/01/22, 2022 at 09:45:04AM +1100, Damien Miller wrote:
>
> > It sounds like you have already verified that your PAM configuration was
> > not tampered with, so that removes one possibility. Reviewing the Ubuntu
> > PAM configurations and the patches they apply to sshd seem to be prudent
> > next steps.
>
> Found the culprit: me. I was stupid enough to install and configure for
> libpam-google-auth, given a company mandate to 2FA all connections with
> admin access, where it wasn't in scope to add 2FA to all client accounts. If
> there's existing documentation anywhere on how dangerous this is, it's not
> in libpam-google-auth's own docs, nor in the recipes scattered across the
> net.

(off-list)

If you're able to share details of what went wrong, then please let me
know and I'll make sure they get back to the developers of this module.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Mon, 7 Mar 2022, Blumenthal, Uri - 0553 - MITLL wrote:

> > >That's a nice thing about pam_yubico with real Yubikeys:
> > >they can be validated against the Yubico cloud API,
> > >without any local secrets.
> >
> > Just to make sure I understand you correctly - a cloud
> > service determines whether some access to your server
> > is to be granted?
>
> A cloud service *authenticates* the user. It's the job of *other*
> PAM modules and configuration to decide what to *authorize* this
> authenticated identity for, including login.

No, that is not the case. The module is a HOTP/TOTP implementation that
is compatible with the Google Authenticator application, it does consult
any cloud service for authentication.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

> > A cloud service *authenticates* the user . . .
>
> No, that is not the case. The module is a HOTP/TOTP implementation that
> is compatible with the Google Authenticator application, it does consult
> any cloud service for authentication.

I don't understand what you said. Does the cloud service authenticate the user, or does it not???

On Wed, 9 Mar 2022, Blumenthal, Uri - 0553 - MITLL wrote:

> > > A cloud service *authenticates* the user . . .
> >
> > No, that is not the case. The module is a HOTP/TOTP implementation that
> > is compatible with the Google Authenticator application, it does consult
> > any cloud service for authentication.
>
> I don't understand what you said. Does the cloud service authenticate the user, or does it not???

err, missed a word - it does not
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

> > I don't understand what you said. Does the cloud service authenticate the user, or does it not???
>
> err, missed a word - it does not

In that case, what about this.

From https://developers.yubico.com/yubico-pam/, description of the PAM module parameters:

mode: Mode of operation. Use "client" for online validation with a YubiKey validation service such as the YubiCloud, or use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation.

On Wed, 9 Mar 2022, Blumenthal, Uri - 0553 - MITLL wrote:

> > > I don't understand what you said. Does the cloud service
> >authenticate the user, or does it not???
> >
> > err, missed a word - it does not
>
> In that case, what about this.
>
> From https://developers.yubico.com/yubico-pam/, description of the PAM
> module parameters:
>
> mode: Mode of operation. Use "client" for online validation
> with a YubiKey validation service such as the YubiCloud, or use
> "challenge-response" for offline validation using YubiKeys with
> HMAC-SHA-1 Challenge-Response configurations. See the man-page
> ykpamcfg(1) for further details on how to configure offline
> Challenge-Response validation.

I assumed we were talking about the PAM module that apparently created
the situation that started this thread, i.e.
https://github.com/google/google-authenticator-libpam and not the
Yubico one.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

> I assumed we were talking about the PAM module that apparently created
> the situation that started this thread, i.e.
> https://github.com/google/google-authenticator-libpam and not the
> Yubico one.

My fault - did not realize what PAM module the OP was having a problem with.

> 2022-03-07 [W.B.]: Found the culprit: me. . . install and configure for
> libpam-google-auth, given a company mandate to 2FA all connections
> with admin access, . . .

> 2022-03-07 [M.S.] That's a nice thing about pam_yubico with real
> Yubikeys: they can be validated against the Yubico cloud API,
> without any local secrets.