I implemented my new Yubikey into my OS X PAM like described within https://developers.yubico.com/yubico-pam/MacOS_X_Challenge-Response.html
I entered the
Code:
auth sufficient pam_yubico.so mode=challenge-response debug
line into /etc/pam.d/sudoThat is what I get as Output when I try to sudo:
Code:
55-555-1::[20150204-160652]::mT@yg:~
$ sudo -i
Password:
debug: pam_yubico.c:764 (parse_cfg): called.
debug: pam_yubico.c:765 (parse_cfg): flags -2147483648 argc 2
debug: pam_yubico.c:767 (parse_cfg): argv[0]=mode=challenge-response
debug: pam_yubico.c:767 (parse_cfg): argv[1]=debug
debug: pam_yubico.c:768 (parse_cfg): id=-1
debug: pam_yubico.c:769 (parse_cfg): key=(null)
debug: pam_yubico.c:770 (parse_cfg): debug=1
debug: pam_yubico.c:771 (parse_cfg): alwaysok=0
debug: pam_yubico.c:772 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:773 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:774 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:775 (parse_cfg): authfile=(null)
debug: pam_yubico.c:776 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:777 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:778 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:779 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:780 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:781 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:782 (parse_cfg): url=(null)
debug: pam_yubico.c:783 (parse_cfg): urllist=(null)
debug: pam_yubico.c:784 (parse_cfg): capath=(null)
debug: pam_yubico.c:785 (parse_cfg): token_id_length=12
debug: pam_yubico.c:786 (parse_cfg): mode=chresp
debug: pam_yubico.c:787 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:829 (pam_sm_authenticate): get user returned: mT
debug: pam_yubico.c:506 (do_challenge_response): Loading challenge from file /Users/mT/.yubico/challenge-3016718
debug: util.c:270 (load_chalresp_state): Challenge: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, salt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, iterations: 10000, slot: 2
debug: pam_yubico.c:584 (do_challenge_response): Got the expected response, generating new challenge (63 bytes).
debug: pam_yubico.c:664 (do_challenge_response): Challenge-response success!
$ sudo -i
Password:
debug: pam_yubico.c:764 (parse_cfg): called.
debug: pam_yubico.c:765 (parse_cfg): flags -2147483648 argc 2
debug: pam_yubico.c:767 (parse_cfg): argv[0]=mode=challenge-response
debug: pam_yubico.c:767 (parse_cfg): argv[1]=debug
debug: pam_yubico.c:768 (parse_cfg): id=-1
debug: pam_yubico.c:769 (parse_cfg): key=(null)
debug: pam_yubico.c:770 (parse_cfg): debug=1
debug: pam_yubico.c:771 (parse_cfg): alwaysok=0
debug: pam_yubico.c:772 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:773 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:774 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:775 (parse_cfg): authfile=(null)
debug: pam_yubico.c:776 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:777 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:778 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:779 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:780 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:781 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:782 (parse_cfg): url=(null)
debug: pam_yubico.c:783 (parse_cfg): urllist=(null)
debug: pam_yubico.c:784 (parse_cfg): capath=(null)
debug: pam_yubico.c:785 (parse_cfg): token_id_length=12
debug: pam_yubico.c:786 (parse_cfg): mode=chresp
debug: pam_yubico.c:787 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:829 (pam_sm_authenticate): get user returned: mT
debug: pam_yubico.c:506 (do_challenge_response): Loading challenge from file /Users/mT/.yubico/challenge-3016718
debug: util.c:270 (load_chalresp_state): Challenge: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, salt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, iterations: 10000, slot: 2
debug: pam_yubico.c:584 (do_challenge_response): Got the expected response, generating new challenge (63 bytes).
debug: pam_yubico.c:664 (do_challenge_response): Challenge-response success!
So, it give me a success at the end, but OS X seems to be really unimpressed by this and still ask me for the password -.-
Where do I go wrong? :/
I already searched for one week, but of course I do also not want to brick my box, by removing password auth from the /etc/pam.d/sudo
It also fails when I try to do the same in the file /etc/pam.d/screensaver
Advance Thanks
Statistics: Posted by megatraveller2 — Wed Feb 04, 2015 4:27 pm
]]>