Comments (8)
@st0rmi This seems like a reasonable idea. The tricky part is that if we release with this change, it could alter the behavior of existing PAM stacks, possibly even opening security vulnerabilities if people aren't expecting it.
Off the top of my head, the safest way to deal with that problem feels like we should keep the old behavior as default but allow (probably by config) an opt-in to the new behavior. I'm worried that hardly anyone will opt in to the new behavior though, somewhat undermining the effectiveness of updating it...
from duo_unix.
@st0rmi Just to make sure I'm looking at the right place, you are talking about the return value at https://github.com/duosecurity/duo_unix/blob/master/pam_duo/pam_duo.c#L221? Where if the user doesn't match any groups we return PAM_SUCCESS?
from duo_unix.
@AaronAtDuo Yup, that's the line that I believe is the culprit. I am not 100% sure, but I believe a PAM_IGNORE might be better here.
from duo_unix.
@AaronAtDuo That such a change might break existing PAM configurations was a concern I had as well. I think handling this behavior via config is probably the safest option. It might also be an option to take the "fail safe"/"fail secure" config that already exists for other behaviors into account.
from duo_unix.
We do some shenanigans on our site to ensure we don't go through DUO for non-DUO users at all, specifically because of this problem. So +1 from here.
from duo_unix.
It could also be an option to initially make this a non-default configuration (i.e. user has to manually set this behavior in the config file) and then change it to be the default behavior during the next major version update.
I could go ahead and create a PR for this, unless you need some more time to discuss this change internally first. What are your thoughts on this?
from duo_unix.
Interesting - looks like about 8 years ago we had the same thought, but reverted it
3eb3e35
from duo_unix.
By the PAM semantics, however, the commit AaronAtDuo mentions above was correct prior to the change. I note this makes it difficult to manage with the DUO config instead of inside PAM (it's certainly possible to bypass based on group with PAM, because that's what I'm doing now, but I acknowledge it makes the config more complicated).
Can I second a config option, please? I understand why the default behaviour is designed to support your DUO configuration, but for those people who have multiple MFA stacks it matters. There are complex reasons why we have multiple MFA stacks and it's not an option to use DUO for certain users. At the moment I have to put all DUO users into a posix group and detect that group, otherwise bypass DUO.
The alternative to a config option is to change your documentation so that people who want to use the DUO config have to use [ ignore=ok ]. That should result in the same behaviour that you have now (as [success=ok] in a standard PAM stack). Then you can return ignore. This does require a config change on the client side and would need more communication of the change.
from duo_unix.
Related Issues (20)
- Are there any tips as to how to get NetDrive or SSHFS to work with pam_duo? HOT 2
- Autopush should be configurable by device, not globally HOT 2
- login_duo: no selection output and automatically pushes to first phone in list with eternal terminal HOT 2
- duo_unix-1.12.1-4.el8 and setuid HOT 3
- Duo Unix 2.x RPM Digests on RHEL 8 with FIPS enabled HOT 7
- Feature request: behavior in situation of missing conf file and not member of groups directive HOT 4
- Bbbb
- More of a feature request, would like to have ,push# implemented like the Fortinet VPN module has HOT 2
- /usr/sbin/login_duo returning no such file or directory after fresh install of duo HOT 1
- Manpages (login_duo/login_duo.8, pam_duo/pam_duo.8) hardcodes /etc instead of adjusting path according to --prefix
- Choice of the second factor should have a default value
- 8.8.8.8 DNS Server is hardcoded
- duo_unix not working with openssl 3.0.8 HOT 4
- Order of DUO Devices Displayed Incorrectly for Users with 10 or More Devices HOT 3
- Duo UNIX PAM module failing on AIX
- Wrong path for duo configuration file in duo_unix-2.0.3 HOT 4
- Autopush with password pushes prompt twice HOT 5
- https_init: result from `RAND_load_file` is unchecked
- Setting https_timeout does not invoke failsafe mode as documented
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from duo_unix.