Offline PAM for the Yubikey

BIgV · **Joined:** Tue Jan 27, 2009 7:00 am **Posts:** 5

That did the trick!

gorkab · **Joined:** Sat Jul 05, 2008 12:21 pm **Posts:** 10

Does anyone have the offline pam module working under Debian Lenny or Ubuntu Ibex (Lenny Based)?

I'm getting the a cascading auth issue when using multiple "required" pam modules.

session:

Code:

$ ssh root@x.x.x.x
gorkab@x.x.x.x's password:
Permission denied, please try again.
gorkab@x.x.x.x's password:

debug log:

Code:

[pam_yubikey.c:pam_sm_authenticate(104)] called.
[pam_yubikey.c:pam_sm_authenticate(105)] flags 1 argc 0
[pam_yubikey.c:pam_sm_authenticate(112)] verbose=0
[pam_yubikey.c:pam_sm_authenticate(122)] get user returned: gorkab
[pam_yubikey.c:get_response(206)] conv returned: <<REALUNIXPW>>
[pam_yubikey.c:_yubi_run_helper_binary(259)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: <<REALUNIXPW>>
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[yk_chkpwd.c:_yubi_verify_password(268)] public_uid has no length, OTP is invalid
[pam_yubikey.c:_yubi_run_helper_binary(375)] returning 8

i thoguht it might go away as lenny got older, but it didn't.

lintweaker · **Joined:** Fri Mar 13, 2009 1:48 am **Posts:** 3

I just got my keys and am trying to get offline pam working.

Whenever I try to login with the correct key I get:

Code:

Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer)
Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer)
Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=kramer
Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure

ykvalidate works as it should (although only under root):
ykvalidate --user kramer [optremoved]
OTP is VALID.

This is with Fedora 10 x86_64. Any hints on how to investigate this further?

BTW I noticed that make install put the pam_yubikey.* in /lib/security instead of /lib64/security.

lintweaker · **Joined:** Fri Mar 13, 2009 1:48 am **Posts:** 3

lintweaker wrote:

I just got my keys and am trying to get offline pam working.

Whenever I try to login with the correct key I get:

Code:

Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer)
Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer)
Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=kramer
Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure

ykvalidate works as it should (although only under root):
ykvalidate --user kramer [optremoved]
OTP is VALID.

This is with Fedora 10 x86_64. Any hints on how to investigate this further?

I've rebuild the libaries with debugging enabled. The log files show:

Code:

[pam_yubikey.c:get_response(206)] conv returned: [snipped]
[pam_yubikey.c:_yubi_run_helper_binary(259)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped]
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[yk_chkpwd.c:_yubi_verify_password(279)] couldn't access database: /etc/yubikey
[pam_yubikey.c:_yubi_run_helper_binary(375)] returning 9

So somehow /etc/yubikey cannot be read. As this is on a Fedora machine with selinux enabled I had to change to /etc/yubikey context as well. I 'stole' the context from another file in /etc:

Code:

chcon -v --reference=/etc/wvdial.conf yubikey

I am not sure that's correct but I no longer get selinux messages. Unfortunately the problem persists, even after giving everybody read rights on the /etc/yubikey file. Clueless

lintweaker · **Joined:** Fri Mar 13, 2009 1:48 am **Posts:** 3

lintweaker wrote:

I just got my keys and am trying to get offline pam working.

Whenever I try to login with the correct key I get:

Code:

Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer)
Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer)
Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=kramer
Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure

ykvalidate works as it should (although only under root):
ykvalidate --user kramer [optremoved]
OTP is VALID.

This is with Fedora 10 x86_64. Any hints on how to investigate this further?

I've rebuild the libaries with debugging enabled. The log files show:

Code:

[pam_yubikey.c:get_response(206)] conv returned: [snipped]
[pam_yubikey.c:_yubi_run_helper_binary(259)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped]
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[yk_chkpwd.c:_yubi_verify_password(279)] couldn't access database: /etc/yubikey
[pam_yubikey.c:_yubi_run_helper_binary(375)] returning 9

So somehow /etc/yubikey cannot be read. As this is on a Fedora machine with selinux enabled I had to change to /etc/yubikey context as well. I 'stole' the context from another file in /etc:

Code:

chcon -v --reference=/etc/wvdial.conf yubikey

I am not sure that's correct but I no longer get selinux messages. Unfortunately the problem persists, even after giving everybody read rights on the /etc/yubikey file. Clueless

OK, again replying to my on message.
Default the file /etc/yubikey has the following permission:
-rw-r--r-- root root
Checking the ykdbDatabaseOpen function in yubikey_db.c shows:

Code:

/* open the db */
   handle->file_descriptor = open(path, O_RDWR);
   if (handle->file_descriptor == -1)
   {
      free(handle);

      YKDB_ERROR(YKDB_ERR_IO);
      return NULL;

that the database will be opened with Read Write permissions (is that really necessary here?).
Changing the permissions on /etc/yubikey gets rid of the 'could not access database error':

Code:

[ykvalidate.c:_yubi_run_helper_binary(275)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped]
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[ykvalidate.c:_yubi_run_helper_binary(388)] returning 0

I am not sure this is the right way forward.

rpimonitrbtch · **Joined:** Mon Nov 24, 2008 3:10 pm **Posts:** 4

gorkab,

sorry for the delayed response, but yes, yubipam works just fine for me under Lenny. Granted, i had built it (and packaged it) under etch, so that might be the difference...?

gorkab wrote:

Does anyone have the offline pam module working under Debian Lenny or Ubuntu Ibex (Lenny Based)?

I'm getting the a cascading auth issue when using multiple "required" pam modules.

smurfy · **Joined:** Wed Jul 08, 2009 8:18 am **Posts:** 1

Hi,

i really like the offline pam module. after some problems i got it working.

the only thing i want to ask is, is there a way via pam or this module directly to create a two way authorisation?
i simple want enter an password and then press the yubikey.

thanks

phil

Cam · **Joined:** Mon Jul 20, 2009 1:07 pm **Posts:** 3

I got yubipam 1.0.4 working with selinux in F12 but had to follow some different steps to the ones I found here:

http://blog.rootshell.be/2009/03/27/yub ... -on-linux/

To give /etc/yubikey write permission from the login process I had to rebuild with:

./configure --with-authdb=/var/lib/gdm/yubikey

Then I made sure yubikey had # ls -Z /var/lib/gdm/yubikey
-rw-rw-r--. root yubiauth system_u:object_r:xdm_var_lib_t:s0 /var/lib/gdm/yubikey

Otherwise, I could not login because the yk_chkpwd could not write to /etc/yubikey (this is with SELINUX=enforcing)

One unexpected hitch, I am able to log in with the yubikey, but as soon as I'm in I'm prompted for my password to unlock the gnome keyring

Apart from that, it's neat.

Offline PAM for the Yubikey

Who is online