I have a couple of Yubikeys which I have configured with my own authentication server; I have pam configured to use that server and it has all been working well.
I renewed my ssl certificates a few days ago and since then, the pam authentication has failed to work. If I put pam into debug mode, I get:
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: <OTP> ID: cccccccccccb
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (101): Could not parse server response
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication service cannot retrieve authentication info]
However, if I run curl from the command line to double check things:
curl "https://<url>/wsapi/2.0/verify?id=1&otp=cccccccccccbuejgbetvinrggvhbblghibrlbnefudif&nonce=12345678901234567890"
h=ZNrvPCKBjfbPA6sVuBaIQcZ2wtc=
t=2014-08-20T10:50:53Z0954
otp=cccccccccccbuejgbetvinrggvhbblghibrlbnefudif
nonce=12345678901234567890
sl=0
status=OK
If I put the old SSL certs back in place, everything starts working again. The only thing I can think of is that I use a 4096 byte SSL key, rather than the standard 2048 - could this case the issue?
Any idea how I can debug things? The rest of my SSL infrastructure works fine - Firefox recognises everything as normal; curl has no issues, I don't really know where to go next...
The pam config is:
authsufficientpam_yubico.so debug id=1 url=https://<url>/wsapi/2.0/verify?id=%d&otp=%s
Cheers,
DavidStatistics: Posted by hobleyd — Wed Aug 20, 2014 1:24 pm
]]>