On Tue, May 5, 2020 at 1:19 AM Andy Pieters <systemd@xxxxxxxxxxxxxxxxx> wrote:
On Mon, 4 May 2020 at 23:11, Mantas Mikulėnas <grawity@xxxxxxxxx> wrote:So this is basically for implementing sudo-like caching for 2FA?Yes that's exactly it.What authentication methods are involved here?Using yubikey + password when 2F is active, using hostkey when notSeems like there are better ways than a service file that permanently modifies /etc/group in the first place... Like a PAM module that literally touches a timestamp file.OK that sounds promising. I had thought of systemd angle first and am not that familiar with pamI found https://linux.die.net/man/8/pam_timestamp is that what you meant?
That kind of module is exactly what I meant, yes.
I would guess you can use it something like this:
auth requisite pam_unix
auth [success=1 default=ignore] pam_timestamp
auth requisite pam_yubikey
Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
