Skip to content
This repository has been archived by the owner on Apr 6, 2021. It is now read-only.

Allow expansion of PAM environment variables in secret file name #108

Closed
ThomasHabets opened this issue Oct 10, 2014 · 3 comments
Closed

Comments

@ThomasHabets
Copy link
Contributor

Original issue 108 created by dwmw2b on 2011-09-26T22:55:27.000Z:

We want to use a system like gitolite with dual-factor authentication using SSH pubkey followed by google-authenticator. This runs everything as a single local UNIX user, and the individual gitolite users have different SSH keys installed, each of which is configured to run a specific gitolite command line which indicates which user to operate as.

Thus, rather than giving all the users a single GA key, we want to be able to use a secret file which depend on the public key that was used.

We achieve this with two relatively simple patches. The first (which I mention for reference) is in OpenSSH, to make it set a PAM environment variable indicating which public key was used to authenticate:
https://bugzilla.mindrot.org/show_bug.cgi?id=983#c43

The google-authenticator patch is relatively simple too. It simply extends the existing expansion of ${HOME}and ${USER} so that it can handle ${PAM:xxxxx} to expand arbitrary PAM variables too.

I can now use it like this:
auth sufficient pam_google_authenticator.so no-drop-privs secret=/etc/google-authenticator/${USER}${PAM:SSH_PUBKEY}

@ThomasHabets
Copy link
Contributor Author

Comment #1 originally posted by dwmw2b on 2011-09-26T22:57:42.000Z:

<empty>

@ThomasHabets
Copy link
Contributor Author

Comment #2 originally posted by markus@google.com on 2011-12-15T08:53:45.000Z:

<empty>

@ThomasHabets
Copy link
Contributor Author

This issue was moved to google/google-authenticator-libpam#41

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant