Yubico Forum

Re: PAM config for sshd in RHEL 7 / CentOS 7

2014-10-20T10:01:53+01:00

@Yubico: is there a solution? Can someone guide me with some hints on this issue?

Statistics: Posted by minimax — Mon Oct 20, 2014 10:01 am

Re: PAM config for sshd in RHEL 7 / CentOS 7

2014-09-25T11:48:40+01:00

If you compile

* ykclient-2.13
* libyubikey-1.12
* ykpers-1.15.3

and

* yubico-pam from Github

then you will get the pam_yubico.so. But activating now results in

Code:

pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

This seems due to /etc/pam.d/password-auth:

Code:

auth requisite pam_succeed_if.so uid >= 1000 quiet_success

But whatever you change here, I can't login using YubiKey.

Statistics: Posted by minimax — Thu Sep 25, 2014 11:48 am

Re: PAM config for sshd in RHEL 7 / CentOS 7

2014-09-25T10:35:33+01:00

Ok, I tried the same - there is no need to set a symbolic link if you provide the correct filename directly in /etc/pam.d/sshd:

Code:

auth sufficient /usr/lib64/libyubikey.so.0 id=16 authfile=/etc/yubikey_mappings

Despite of that I get the same results:

Code:

PAM unable to resolve symbol: pam_sm_authenticate
PAM unable to resolve symbol: pam_sm_setcred

Statistics: Posted by minimax — Thu Sep 25, 2014 10:35 am

Re: PAM config for sshd in RHEL 7 / CentOS 7

2014-09-23T22:11:53+01:00

I got a little further than you did.

I did the same bits with yum, but placed my "auth sufficient libyubikey.so id=16 authfile=/etc/yubikey_mappings" (note the change from "required" to "sufficient" line in /etc/pam.d/password-auth

I then realized that CentOS 7 was looking in /usr/lib64/security for the PAM *.so files, so I went there and linked to the Yubikey library:

Code:

ln -s /usr/lib64/libyubikey.so.0 /usr/lib64/security/libyubikey.so

This yielded an error in /var/log/secure every time I tried to SSH in to my host:

Code:

Sep 23 16:03:46 netservices3 sshd[3961]: PAM unable to resolve symbol: pam_sm_authenticate
Sep 23 16:03:46 netservices3 sshd[3961]: PAM unable to resolve symbol: pam_sm_setcred

Statistics: Posted by mystic1 — Tue Sep 23, 2014 10:11 pm

PAM config for sshd in RHEL 7 / CentOS 7

2014-08-20T10:08:16+01:00

I can't get Yubikey to work with SSH on RHEL 7 / CentOS 7. I always get the error

Code:

debug1: PAM: initializing for "root"
PAM unable to resolve symbol: pam_sm_authenticate
PAM unable to resolve symbol: pam_sm_setcred
debug1: PAM: setting PAM_RHOST to "192.168.122.1"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user root service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
password check failed for user (root)
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1  user$
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
debug1: PAM: password authentication failed for root: Module is unknown

This is what I did to install Yubikey on RHEL 7 / CentOS 7:

Code:

rpm -Uvh http://download.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
yum -y install libyubikey

In /etc/pam.d/sshd:

Code:

#%PAM-1.0
auth required /usr/lib64/libyubikey.so id=16 authfile=/etc/yubikey_mappings
...the rest of the file

In /etc/yubikey_mappings:

Code:

root:cccc....

Code:

systemctl restart sshd.service

But no luck. On RHEL 6 and CentOS 6, everything is working fine.

Statistics: Posted by minimax — Wed Aug 20, 2014 10:08 am