Example usage of https://github.com/sorah/clarion
Place the key information in a JSON seriarized array at /var/cache/pam-u2f/${USER}.
[
{
"name": "NAME",
"handle": "HANDLE",
"public_key": "PUBLICKEY",
"counter": COUNTER
}
](counter is optional)
Use with pam_exec(8).
# Required
auth [success=1 default=ignore] pam_exec.so quiet /path/to/pam-u2f --check
auth requisite pam_deny.so
auth [success=ignore default=die] pam_exec.so stdout quiet /path/to/pam-u2f --initiate
auth [success=ok default=bad] pam_exec.so stdout expose_authtok quiet /path/to/pam-u2f --wait
# Optional (to combine with other 2FA PAM modules)
auth [success=ignore default=2] pam_exec.so quiet /path/to/pam-u2f --check
auth [success=ignore default=1] pam_exec.so stdout quiet /path/to/pam-u2f --initiate
auth [success=ok default=ignore] pam_exec.so stdout expose_authtok quiet /path/to/pam-u2f --wait
auth ...
Caveats:
pam_execdoesn't callpam_infowith commnad's STDOUT until a command exits.- OpenSSH doesn't flush message until pam_prompt. So it's necessary to split the execution into two.
expose_authtokenablespam_promptbefore command execution.
--initiate, --wait exits with a failure when a user's key doesn't exist.