[opensuse] PAM configuration for single user / rescue mode
![](https://seccdn.libravatar.org/avatar/1a6c29ce1b0d6ecb5ebe741642119874.jpg?s=120&d=mm&r=g)
I have questions especially for the SystemD gurus. I am trying to setup an PAM 2-factor-authentication. The first factor is username/password. The second factor is a device (Yubikey). This works as expected. But I want to have an easy-to-use rescue mode. For instance the following conditions may result in a system where nobody can log in: 1. The network is down. Yubikey needs (in default "client mode") a working Internet connection. 2. The device (Yubikey) is lost or unavailable. 3. The Yubiley PAM configuration is somehow broken. 4. The computer boots in rescue mode and there is only user "root" available and network is down. My first idea was to exclude user "root" from the 2-factor-authentication. But this is not ideal. Especially in openSUSE (with openSUSE's way to configure "sudo" where root's password should be typed in if the user want's to switch to root) the root password is often typed in and should be better protected. Now I created a special user "rescue". This is the only user which may login only with username/password. The configuration for "login" looks as follows: #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth [default=1 success=ignore] pam_succeed_if.so quiet user != rescue # <- user "rescue" skips next entry auth requisite pam_yubico.so id=16 authfile=/etc/yubikeyid # <- Yubikey authentication in client mode auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_mail.so standard session optional pam_ck_connector.so With special "sudo" configuration (not shown here) user "rescue" can modify the PAM configuration and temporary disable the Yubikey device authentication. Now my question are: * Which PAM configuration file in /etc/pam.d is used for single user / rescue mode of SystemD? * Is it possible to login another user except "root"? Normally only the password for "root" is accepted. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1a6c29ce1b0d6ecb5ebe741642119874.jpg?s=120&d=mm&r=g)
Bjoern Voigt wrote:
Now my question are:
* Which PAM configuration file in /etc/pam.d is used for single user / rescue mode of SystemD? To answer my own questions:
"sulogin" is used in single user / rescue mode. Some documents say, that "sulogin" does not use PAM at all, e.g. http://www.fifi.org/doc/libpam-doc/html/pam-5.html
* Is it possible to login another user except "root"? Normally only the password for "root" is accepted. Probably not without hacking the sulogin source code.
As a result, if an attacker already knows the root password, but has no access to the OTP generating device, he can boot into single user / rescue mode and there he can login with the known root password. Of course this works only with local access to the computer and local access isn't often highly secured (closed root, BIOS password, hard disk encryption, boot loader password etc.) Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/28fb60f36a5c05d6e95d00be1c0c257c.jpg?s=120&d=mm&r=g)
Le 13/09/2016 à 17:53, Bjoern Voigt a écrit :
As a result, if an attacker already knows the root password, but has no access to the OTP generating device,
? he can boot into single user /
rescue mode and there he can login with the known root password.
one can boot without any passwd with init=bash (or something similar, I say this from memory) and with rescue disk, root have no passwd but I'm not sure to understand your question :-( jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
![](https://seccdn.libravatar.org/avatar/1a6c29ce1b0d6ecb5ebe741642119874.jpg?s=120&d=mm&r=g)
jdd wrote:
Le 13/09/2016 à 17:53, Bjoern Voigt a écrit :
As a result, if an attacker already knows the root password, but has no access to the OTP generating device,
?
he can boot into single user /
rescue mode and there he can login with the known root password.
one can boot without any passwd with init=bash (or something similar, I say this from memory)
and with rescue disk, root have no passwd This is not possible with a highly hardened computer.
but I'm not sure to understand your question :-
Please read my initial mail in this thread: https://lists.opensuse.org/opensuse/2016-09/msg00123.html Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Bjoern Voigt
-
jdd