On 14/05/2021 15:29, Marek Mosiewicz wrote: > Hello, > > I think of idea of having additional PAM module which passes login > after receiving and validating signed email (for some scenarios it > could even requires emails from many persons). Signing emails can be > done easliy in secure way and it could be also good for auditing.
My first thought was "Doesn't PAM have some sort of timeout?" but it looks like it doesn't. If you have users who can bear to potentially wait a matter of days before knowing whether they're permitted to access a system, then I guess this could work. It sounds a little Heath-Robinson, but maybe you can argue the case for an ultra-secure host where every login must come to the immediate attention of one or more humans. Hmm. Thinking about it a little more, you might need to consider some points about reliability: * If PAM sends an email, it can REQUEST delivery and read receipts, but those are optional features of email. There's no guarantee that the email will arrive at the destination. * Similarly, PAM has no way to guarantee that the signer's reply will arrive. Now, you might be able to say "Well, we use GMail/HotMail/NeverFails which is 100% online" or "We always send to X signers and need a quorum of at least Y of them - which handles the situation when Kevin is on holiday in the Bahamas for three weeks", but you might want to at least CONSIDER sending follow up emails (not too often, though. One or two days between them perhaps?) so that you don't end up waiting for a reply that will never come. > > Cheers, > Marek Mosiewicz >
OpenPGP_signature
Description: OpenPGP digital signature
