Re: SSH authentication with 3 step (login/passwd/otp)

2011-02-15T23:39:37+01:00

Hi meepmeep,

yes it is possible. I guess it would be possible in several differen ways. Well - I do not know the pam_yubico.so but you could do some pam stacking that first would do

pam_unix

to authenticate with the password and then do

pam_radius or pam_yubico

to authenticate with the OTP.
You can use the yubikey with many different backends. When you inititilize it with HOTP, there are even more backends aroud, which will work e.g. with pam_radius...

(Just a very top level answer...)

Kind regards
Cornelius

Statistics: Posted by cornelinux — Tue Feb 15, 2011 11:39 pm

SSH authentication with 3 step (login/passwd/otp)

2011-01-26T12:17:08+01:00

Hi

I just get my yubikey, and I would like to know if it's possible to have a 3 step identification :
- login (not always a dependant step, because the ssh client could tacitly send the username)
- Password
- OTP

Currently, my yubikey is working great with yubico-pam on a debian stable, but, the OTP has to be concatenate with the password (I enter my username, press enter, enter my password, press the yubikey).

I'm using :
- Debian stable (5.0.8)
- OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010
- Ykclient 2.3
- pam-yubiko 2.5
- in /etc/pam.d/sshd :

Code:

auth required pam_yubico.so id= key= debug authfile=/etc/yubikey_mappings

- In /etc/yubikey_mappings :
:
- In /etc/pam.d/common-auth :

Code:

auth    [success=1 default=ignore]      pam_unix.so nullok_secure debug try_first_pass

- In /etc/ssh/sshd_config :

Code:

PasswordAuthentication yes
ChallengeResponseAuthentication no

I try to set

Code:

ChallengeResponseAuthentication yes

The ssh login ask my credential in 3 step .. but it's not working :

Code:

meepmeep@Marvin:~$ ssh dev.box
Yubikey for `meepmeep':
Password:
Read from remote host dev.box: Connection reset by peer
Connection to dev.box closed.

debug file :

Code:

[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=
[pam_yubico.c:parse_cfg(407)] argv[1]=key=
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=
[pam_yubico.c:parse_cfg(409)] key=
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: vcutccutjtggbgnjjcgjbjlncudivkvl
[pam_yubico.c:pam_sm_authenticate(558)] OTP: vcutccutjtggbgnjjcgjbjlncudivkvl ID:  
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: 
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=
[pam_yubico.c:parse_cfg(407)] argv[1]=key=
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=
[pam_yubico.c:parse_cfg(409)] key=
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: -1216685976

Finally, I try to put the line

Code:

auth required pam_yubico.so id= key= debug authfile=/etc/yubikey_mappings

at the end of the /etc/pam.d/sshd (so the OTP is ask after my password), I get the same error on the client side (connection closed), and I get this debug file :

Code:

[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=
[pam_yubico.c:parse_cfg(407)] argv[1]=key=
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=
[pam_yubico.c:parse_cfg(409)] key=
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: flcrldfivfhbgdelulijvkcljudvgbll
[pam_yubico.c:pam_sm_authenticate(558)] OTP: flcrldfivfhbgdelulijvkcljudvgbll ID: 
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: 
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=
[pam_yubico.c:parse_cfg(407)] argv[1]=key=
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=
[pam_yubico.c:parse_cfg(409)] key=
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: 0

(the last "retval" is different, but I don't know what it means !)

I'm open to any idea

Statistics: Posted by meepmeep — Wed Jan 26, 2011 12:17 pm

Yubico Forum

Re: SSH authentication with 3 step (login/passwd/otp)

SSH authentication with 3 step (login/passwd/otp)