Re: Define two factor authentication for Postgresql Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 28.08.2015 um 16:29 schrieb Nima Azizzadeh:
> Hello, I'm going to create two factor authentication for pgadmin
> server... I'm using postgresql 9.4 with pgadmin III on Linux Mint
> 17.2 32bit... I already have 1 password authentication but For
> better security, I just want to force 2 of them. The authentication
> factors could be any things(what user has,what user knows,where
> user is or what user is). for example: The first factor is
> "password(what user knows)" and the second is "USB device(what user
> has)". I need to force Postgresql to check both for authenticate
> user and connect him to the server. I send you a screenshot from
> pgAdmin server authenticate screen and I'm going to implement 2
> factor authentication for this. I not talking about OS
> authentication. All authenticate operation should operate from
> Postgresql.
>
> I already try this for login into pgAdmin through password and
> USB: I installed pamusb pakages :
>
> |sudo apt-get install pamusb-tools libpam-usb
>
> |
>
> Although I can add devices on my pamusb config file :
>
> |pamusb-conf --add-device MyDevice |
>
> and I can define pamusb users. I added this lines to pamusb config
> between |<users>| tags :
>
> |<user id="postgres"> <device>MyDevice</device> </user>
>
> | |My guess : I think I should write module in /etc/pam.d and edit
> pg_hba.conf file to define login method for local users : | |local
> all all pam pamservice=mypam | |but I don't know
> how to write module to force both authentication methods for
> this(both are required).

Basically, what you need is two "auth required ..." lines in your
custom PAM config.

"man pam.conf" will give you more than enough information.

Keep in mind though that this will only work for databases that are
running on the machine that has the USB port in question (or get it
forwarded somehow)!
- --
Gunnar "Nick" Bluth
RHCE/SCLA

Mobil +49 172 8853339
Email: gunnar(dot)bluth(at)pro-open(dot)de
_____________________________________________________________
In 1984 mainstream users were choosing VMS over UNIX.
Ten years later they are choosing Windows over UNIX.
What part of that message aren't you getting? - Tom Payne

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJV4KExAAoJEBAQrmsyiTOMZnMIALUtr2Q3x0uu5XjqESolkxoy
kyQTINkZ7aEUxNNZDvk+q9498h11xXxpZrFrCtSYYjmtmkcfXOmq73XmzHO3r2RJ
gIw89iSnzPVD/k5MruTbjkaCFOR6ROV+YtrOhh+TOk0Ha49ykOLWKTrX94d1SKjx
N2rB31gtW7BMd6+D2mD3H3v5a9ZQo4ZCYD59O/FBX0IN7+nyGX1c6oQ/YN1OYrmq
v4SxApOI8MjIr4nCDJnhD3hSRxX5uW9bRexceui/sIKLWgO2KMsBGoQuPemMsDzk
zdt7jfkri+kdjKgiMHoPEwVe+3AtXVEVlRHMZN2GGXGj33A8RnQJ0SyflZUtJ3k=
=C8kC
-----END PGP SIGNATURE-----