Authenticating with U2F
by Sven Vermeulen, post on Mon 11 September 2017In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.
Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk
about the pam_u2f setup are indeed correct that it is fairly simple. For completeness
sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.
Why does it access /etc/shadow?
by Sven Vermeulen, post on Tue 30 December 2014While updating the SELinux policy for the Courier IMAP daemon, I noticed
that it (well, the authdaemon that is part of Courier) wanted to access
/etc/shadow, which is of course a big no-no. It doesn't take long to
know that this is through the PAM support (more specifically,
pam_unix …
Not needing run_init for password-less service management
by Sven Vermeulen, post on Tue 09 April 2013One of the things that has been bugging me was why, even with having
pam_rootok.so set in /etc/pam.d/run_init, I cannot enjoy
passwordless service management without using run_init directly:
# rc-service postgresql-9.2 status
Authenticating root.
Password:
# run_init rc-service postgresql-9.2 status
Authenticating root.
* status: started
So I …