# pam-u2f: pam 2fa example using clarion

Example usage of https://github.com/sorah/clarion 

## Usage

### Preparing Keys

Place the key information in a JSON seriarized array at `/var/cache/pam-u2f/${USER}`.

``` json
[
  {
    "name": "NAME",
    "handle": "HANDLE",
    "public_key": "PUBLICKEY",
    "counter": COUNTER
  }
]
```

(counter is optional)

### PAM

Use with pam_exec(8).

```
# Required
auth  [success=1 default=ignore]    pam_exec.so quiet /path/to/pam-u2f --check
auth  requisite pam_deny.so
auth  [success=ignore default=die]  pam_exec.so stdout quiet /path/to/pam-u2f --initiate
auth  [success=ok default=bad]      pam_exec.so stdout expose_authtok quiet /path/to/pam-u2f --wait
```

```
# Optional (to combine with other 2FA PAM modules)
auth  [success=ignore default=2]    pam_exec.so quiet /path/to/pam-u2f --check
auth  [success=ignore default=1]    pam_exec.so stdout quiet /path/to/pam-u2f --initiate
auth  [success=ok default=ignore] pam_exec.so stdout expose_authtok quiet /path/to/pam-u2f --wait
auth  ...
```


Caveats:

1. `pam_exec` doesn't call `pam_info` with commnad's STDOUT until a command exits.
2. OpenSSH doesn't flush message until pam_prompt. So it's necessary to split the execution into two.
3. `expose_authtok` enables `pam_prompt` before command execution.


`--initiate`, `--wait` exits with a failure when a user's key doesn't exist.