Hi,
The current policy for yubikeys only takes into account the otp functions. In addition, the pam module supports a local challenge response mode.
I have attached a patch to allow chap to work for yubikeys with selinux enabled. To note is that I have added a auth_home_rw_t type, as the pam module reads from ~/.yubico/challenge-<tokenid> and then rewrites it with a new challenge after the attempt.
I would like to especially ask that the section for the chap tunable policy be reviewed. In my testing, it seemed that login_pgm wasn't sufficient, as staff_sudo_t didn't seem to be covered by this which is why I have added the sudodomain components. I would like to know if there is a better way to resolve this.
Sincerely,
On 03/27/2014 11:05 PM, William Brown wrote:
Hi,
The current policy for yubikeys only takes into account the otp functions. In addition, the pam module supports a local challenge response mode.
I have attached a patch to allow chap to work for yubikeys with selinux enabled. To note is that I have added a auth_home_rw_t type, as the pam module reads from ~/.yubico/challenge-<tokenid> and then rewrites it with a new challenge after the attempt.
I would like to especially ask that the section for the chap tunable policy be reviewed. In my testing, it seemed that login_pgm wasn't sufficient, as staff_sudo_t didn't seem to be covered by this which is why I have added the sudodomain components. I would like to know if there is a better way to resolve this.
Sincerely,
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Looks OK. Basically we can place the boolean also to the sudo policy module.
Could we stay only with "authlogin_yubikey" boolean?
selinux@lists.fedoraproject.org