Yubico Forum ...visit our web-store at 2014-07-08T10:20:59+01:00 https://forum.yubico.com/feed.php?f=23&t=1423 2014-07-08T10:20:59+01:00 2014-07-08T10:20:59+01:00 https://forum.yubico.com/viewtopic.php?t=1423&p=5388#p5388 <![CDATA[[PROBLEM] pam_yubico and urllist (HA)]]>
i want to use the pam_yubico Module with Two Factor SSH authentication.

Here is my configuration:

Code:
auth requisite pam_yubico.so id=1 urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify authfile=/etc/yubikey_mappings/authorized_yubikeys debug


On the hajvmyk01 server runs two instance of yubico-serve. TFA for SSH is configured on hajvmyk02 (client).

Currently http://hajvmyk01:8000/wsapi/2.0/verify is not reachable. (HA failure test).

So if I login into the client it successfully login but the log says:

Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultktdbfeuhguguvivcldjeugtrbrndfliv ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP)
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication failure]


Authentication failure.

Another login fails but the log says:

Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultdgngcbedjirtfuncljkinvjjktktuccc ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(222)] Using system-wide auth_file /etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:check_user_token(179)] Authorization line: root:vvuficteuult
[pam_yubico.c:check_user_token(183)] Matched user: root
[pam_yubico.c:check_user_token(188)] Authorization token: vvuficteuult
[pam_yubico.c:check_user_token(191)] Match user/token as root/vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Success]


Success.

The 3rd try is a little bit strange, it will be timeouted.

Log:

Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultbjfnlfekbirdgeuejelkjgeekhenhejv ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK


The urllist parameter has been changed and is not equal to the pam file.

Does anybody know of this problems or what I misconfigured?

I use Ubuntu 12.04 and the offical yubico ppa packages.

Statistics: Posted by jkroepke — Tue Jul 08, 2014 10:20 am

]]>