7

I am configuring yubico-pam to enable passwordless sudo access using challenge-response from a Yubikey. The following works:

# /etc/pam.d/sudo
auth       sufficient     pam_yubico.so mode=challenge-response
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so

unless the pam_yubico.so module is missing, uninstalled, or corrupted, in which case one is told:

$ sudo su -
sudo: unable to initialize PAM: No such file or directory

Is it possible to tell PAM to ignore a module that is missing, rather than simply returning immediately and prevent PAM from continuing to evaluate the stack?

vvvvv
  • 162
CodeGnome
  • 285

1 Answers1

1

In the extended syntax (see pam.conf(5)), it's possible to define a custom behavior for when the dlopen() call fails by defining a behavior for the open_err error code. That said, sufficient should already be accomplishing this for you. Here's the equivalent extended syntax from that same manpage:

    sufficient
      [success=done new_authtok_reqd=done default=ignore]

See that default=ignore at the end?

   The last of these, default, implies ´all valueN´s not mentioned
   explicitly. Note, the full list of PAM errors is available in
   /usr/include/security/_pam_types.h.

In other words, default=ignore is equivalent to open_err=ignore. Unless PAM is behaving in a way that is not documented here, this would suggest that the failure is occurring further down the stack.

Just to eliminate any doubt, here's the definition of PAM_OPEN_ERR from the headers:

#define PAM_OPEN_ERR 1          /* dlopen() failure when dynamically */
                                /* loading a service module */
Andrew B
  • 33,868