-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: behavior in situation of missing conf file and not member of groups directive #240
Comments
Hi, I am not sure if I made it clear enough how severe the issue#1 is in my previous post the other day, I will let the code speak for itself. I use login_duo as example, pam_duo is applicable for the same issue, because it follow the same logic.
I don't actually know how widely duo_unix is used in production. As a system admin I accept, I don't like, but I accept that I make mistake. Accidentally removing a conf file from the production system do happen, just like what happened to Notam the other day. About my point#2 on pam_duo's behavior for those not a member of the group, can you plz review you proposal. What I am looking for is to add another directive and give sysadmin discretion to make the call on return code of duo_check_groups() either PAM_SUCCESS or PAM_IGNORE. Code snippet is attached as follows.
|
@haoshu Regarding item 1: My concern with your suggestion is that if This could be especially bad during initial setup and configuration of duo unix, when the chance of making a mistake is fairly high and could lead to a lot of lock outs, especially for less experienced administrators. |
Regarding item 2, we'll review your idea and get back to you with questions. |
@AaronAtDuo Appreciate your consideration on item 2. Though I have no visibility on the other Unix variants, Linux-PAM handle PAM_IGNORE pretty well. |
Hi,
Can I suggest some change on behavior of login_duo and pam_duo?
Summary
Steps to reproduce
login_duo -c MISSING_FILE
pam_duo.so conf=MISSING_FILE
Specs
The text was updated successfully, but these errors were encountered: