[Cosign-discuss] pam factor

[Andrew M. <adm...@um...>]

I've written and checked in a generic PAM-based external factor for use with the cosign.cgi. Because it uses PAM, this external factor should help lower the bar to deployment of two-factor authentication at institutions using cosign. I've successfully tested it with RSA's SecurID and Yubikey, a USB token supporting OATH-HOTP.

It's not yet integrated with the the rest of the build, so you'll need to compile it by hand for the moment. I wanted to make it available for testing as soon as possible. It will be available as a configure-time option in the next release.

Please test and report bugs on SF.net.

Thanks for supporting cosign.

andrew

--

Use of the PAM external factor is fairly straightforward. Compile pam_factor.c with the name of your choice:

gcc -lpam -o rsatoken pam_factor.c

Copy the factor to a known location, e.g., /usr/local/cosign/factors.

Edit cosign.conf and add the factor:

factor /usr/local/cosign/factors/rsatoken -2 login passcode

The arguments after "-2" (indicating that primary authentication is required before this factor can be used) are the form input field values from the login page which should be passed to the factor. See the cosign.conf manpage FACTOR section for more details.

Edit /etc/pam.d/<factor_name>, in this example /etc/pam.d/rsatoken, and add something similar to the following:

# cosign.cgi pam external factor using RSA's SecurID
# pam_securid module.
auth	required	pam_securid.so

# the pam external factor always calls pam_acct_mgmt,
# so we need to make sure that something grants us
# access. pam_permit always returns success. local
# customizations might want to use pam_ldap, pam_group,
# pam_listfile, pam_localuser, or any similar module
# satisfying the account requirement.
account	required	pam_permit.so

# deny auth tokens and session requests, to be safe.
password required	pam_deny.so
session required		pam_deny.so