I have 2 near identical Centos 6.5 servers, one a standard install "Web Server" build and one a standard install "Database Server" build, not had a chance to mess with them in order to add anything non standard apart from for yubikey;
Code:
cat /etc/redhat-release;
CentOS release 6.5 (Final)
Code:
uname -r;
2.6.32-431.el6.x86_64
pulled the latest rpm's from epel repo;
Code:
Installed: libyubikey-1.11-2.el6.x86_64
Installed: ykpers-1.6.2-1.el6.x86_64
Installed: ykclient-2.7-1.el6.x86_64
Installed: pam_yubico-2.13-1.el6.x86_64
/etc/pam.d/sshd has the following;
Code:
auth required pam_yubico.so id=[MYCODE] key=[MYKEY] debug authfile=/etc/yubikeys url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
/etc/yubikeys contains the correct key for the user
/etc/ssh/sshd_config has the following added/enabled;
Code:
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes
and on one server (the web version) it works perfectly and on the other (the db version) it doesn't!
only error message is in /var/log/secure;
Code:
Jul 1 15:41:14 localhost sshd[6134]: Postponed keyboard-interactive for USER from IPADDR port 55814 ssh2
Jul 1 15:41:19 localhost sshd[6134]: Postponed keyboard-interactive/pam for USER from IPADDR port 55814 ssh2
Jul 1 15:41:26 localhost sshd[6133]: error: PAM: Authentication service cannot retrieve authentication info for USER from IPADDR
the only thing that is noticeable is is a slight delay after the Yubikey is pressed and before the password is asked for on the working server and it there is no delay on the non-working server.
both network's look okay and can resolve the api address fine, i can't seem to see any explanation for this.
anyone any ideas?Statistics: Posted by prensrfc — Tue Jul 01, 2014 4:16 pm
]]>