pam-u2f OR password

I'm wondering if it's possible to configure pam-u2f to fall back to requiring a password if no YubiKey present/touch cancelled?

For example, I have passwordless sudo configured in /etc/pam.d/sudo using:

auth      sufficient  pam_u2f.so cue

auth      include     system-auth
account   include     system-auth
session   include     system-auth

However, I notice there is no way of "cancelling" the request for touching the Yubikey and having it fall back to asking for the root password.

Unsure if this is a lack of implementation in the pam-u2f lib (as I cant' find an option for this in the docs), or a misconfiguration on my end.

Thanks

Update: after some consideration, I realized I was sacrificing security for convenience. So, hypothetically, someone with physical access to the machine could just unplug the security jey IF they knew my password too.

That being said, I switched pam_u2f from sufficient to required.

Madison Howard

Share Your Mood

syscll

pam-u2f OR password