[systemd-devel] Extend service runtime

Mantas Mikulėnas grawity at gmail.com
Tue May 5 11:07:11 UTC 2020


On Tue, May 5, 2020 at 1:19 AM Andy Pieters <systemd at andypieters.me.uk>
wrote:

>
>
> On Mon, 4 May 2020 at 23:11, Mantas Mikulėnas <grawity at gmail.com> wrote:
>
>>
>>
>> So this is basically for implementing sudo-like caching for 2FA?
>>
>>
> Yes that's exactly it.
>
>
>> What authentication methods are involved here?
>>
>
> Using yubikey + password when 2F is active, using hostkey when not
>
>
>> Seems like there are better ways than a service file that permanently
>> modifies /etc/group in the first place... Like a PAM module that literally
>> touches a timestamp file.
>>
>>> OK that sounds promising. I had thought of systemd angle first and am
> not that familiar with pam
> I found https://linux.die.net/man/8/pam_timestamp is that what you meant?
>

That kind of module is exactly what I meant, yes.

I would guess you can use it something like this:
auth requisite pam_unix
auth [success=1 default=ignore] pam_timestamp
auth requisite pam_yubikey

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20200505/c06d2131/attachment.htm>


More information about the systemd-devel mailing list