On 03/27/2014 11:05 PM, William Brown wrote:
The current policy for yubikeys only takes into account the otp
functions. In addition, the pam module supports a local challenge
I have attached a patch to allow chap to work for yubikeys with selinux
enabled. To note is that I have added a auth_home_rw_t type, as the pam
module reads from ~/.yubico/challenge-<tokenid> and then rewrites it
with a new challenge after the attempt.
I would like to especially ask that the section for the chap tunable
policy be reviewed. In my testing, it seemed that login_pgm wasn't
sufficient, as staff_sudo_t didn't seem to be covered by this which is
why I have added the sudodomain components. I would like to know if
there is a better way to resolve this.
selinux mailing list
Looks OK. Basically we can
place the boolean also to the sudo policy module.
Could we stay only with "authlogin_yubikey" boolean?