每当通过 PAM 完成身份验证,并且成功完成登录的模块是 pam_yubico.so 时,我想要调用一个脚本。
e.g: user does sudo:
-> user is not configured for 2FA on sudo
-> user logs in with password
-> callback is not invoked
e.g.2: same user does ssh login:
-> ssh requires 2FA for this user
-> user logs in with password & yubikey
-> user login accepted
-> invoke callback
e.g.3: another user does sudo:
-> user configuration has 2FA required for sudo
-> user types pass and presses yubikey
-> user login accepted
-> invoke callbak
因此,具体来说,每当用户成功通过两个因素进行身份验证时,我需要触发回调。
仅从 bash_profile 或 rc 运行脚本不是我想要的。无论在何处使用 2F(kde、sudo、ssh su ...),都需要调用回调
答案1
成功模块后执行命令应该是可行的,跳到 pam_exec.sosuccess=${num lines to skip}
人 8 pam_exec
auth sufficient pam_unix.so
auth [success=1 default=ignore] foo_2fa.so some_other=options
auth requisite pam_deny.so
auth optional pam_exec.so debug /path/to/my/script.sh
我没有测试上述内容,因此您可能需要对其进行调整并确保其安全。