Yubico Forum

Re: SSH authentication

2011-03-03T03:27:58+01:00

rossnick wrote:

If I change the sufficient for required, I see :

# ssh rossnick@localhost
Yubikey for `rossnick':
Password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.

Logs show me that the yubikey auth worked, and see this :

sshd[31293]: Accepted keyboard-interactive/pam for rossnick from 127.0.0.1 port 42127 ssh2
sshd[31293]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials

in my secure log.

I have ChallengeResponseAuthentication, PasswordAuthentication and UsePAM at yes in my sshd config file. If ChallengeResponseAuthentication is set to no, I did not get a prompt for the yubikey at all.

I have _exactly_ this problem on Ubuntu 10.10. I've compiled the yubico lib and pam lib from the latest git source.

I set up as per the instructions but if I set "auth required" in my pam.d/sshd file and log in, I get the yubikey prompt... followed by my password prompt.. but the second I type in my password I get disconnected and the following error shows up in my /var/log/auth.log:

Mar 3 10:15:47 ************ sshd[7537]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials

If I change it to "auth sufficient" in the pam.d/sshd file then it works fine I can log in no problems with just the yubikey and no password prompt. I don't _mind_ using the yubikey as my only auth.. but I would _much_ rather have the two factor of my PW + the yubikey.

Any suggestions as to why this is dying with the required option?

Statistics: Posted by kai — Thu Mar 03, 2011 3:27 am

Re: SSH authentication

2010-10-20T18:11:25+01:00

I just found a post from romain, also related to pam, which I first discarded because of kerberose.

But, I downloaded those rpms instead and modified a bit the config to use default api servers instead of my own, and now all works well.

Statistics: Posted by rossnick — Wed Oct 20, 2010 6:11 pm

Re: SSH authentication

2010-10-20T17:43:39+01:00

Hi !

I'm new to the yubikey world, I just received mine, and I am starting to play with it.

I was able to use pam_yubico.so to authenticate with ssh. But, in sufficient mode only.

In this mode, I can login with my yubikey or my password. Either one work.

If I change the sufficient for required, I see :

# ssh rossnick@localhost
Yubikey for `rossnick':
Password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.

Logs show me that the yubikey auth worked, and see this :

sshd[31293]: Accepted keyboard-interactive/pam for rossnick from 127.0.0.1 port 42127 ssh2
sshd[31293]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials

in my secure log.

I have ChallengeResponseAuthentication, PasswordAuthentication and UsePAM at yes in my sshd config file. If ChallengeResponseAuthentication is set to no, I did not get a prompt for the yubikey at all.

Any hints on what I missed ?

Statistics: Posted by rossnick — Wed Oct 20, 2010 5:43 pm

Re: SSH authentication

2010-10-13T10:46:30+01:00

superstructure -> some food for thoughts:

You can "force" Yubikeys for external users with this line at the beginning of your PAM configuration file for SSH:

# Enable Yubikey authentication for the users listed in /etc/external_users
auth [success=1 new_authtok_reqd=ok default=ignore] pam_listfile.so item=user sense=deny file=/etc/external_users onerr=fail

(It will tell PAM to skip the next line in the file, which should be where pam_yubico is called, for users NOT listed in external_users. ie: users in the external_users file must use Yubikeys.)

You then need to set "ChallengeResponseAuthentication Yes" in SSH to move password authentication from the "password" to the "keyboard-interactive" method.

Finally, you must disable SSH Public key authentication altogether. It's unfortunate, but this authentication method is handled by SSH internally, and if it is successful, PAM will not be called, effectively disabling multifactor authentication.

HTH,
Romain.

Statistics: Posted by romain — Wed Oct 13, 2010 10:46 am

Re: SSH authentication

2010-03-29T15:13:57+01:00

OK, we have a very similar problem.

We have a system running opensuse 10.3 that is configured to allow external users access to our internal network. At present this is using Aladdin secure usb tokens for standard public key access vis ssh.

I have configured another sshd daemon, running on a different port, for use for access with yubikeys.

The question I have is how to configure the pam set up to allow for mixed access.

Internal users have to be able to connect to this machine via ssh with standard password authentication.
External users need to be able to continue to connect via ssh with standard public key and password acccess and also users with yubikey need ssh access with 2 factor authentication. posting.php?mode=reply&f=5&t=403&sid=7efc8d0782cc48c526af1c50a99a3951#

Statistics: Posted by superstructure — Mon Mar 29, 2010 3:13 pm

Re: SSH authentication

2009-11-09T18:17:10+01:00

Okay, solved my problem.

After watching this video (about half way): http://www.cruzinthegalaxie.com/how-to- ... on-fedora/

I realized that the PasswordAuthentication no which was set on my ssh server isn't the default value, I changed that to yes and now the single factor authentication works.

Another note for anyone trying to set this up: Read the instructions fully, I ran into a few issues because I skipped steps without realizing it.

You'll need your id if you are authenticating against Yubico's servers, see -> http://yubico.com/developers/api/

Statistics: Posted by betrunkenaffe — Mon Nov 09, 2009 6:17 pm

Re: SSH authentication

2009-11-09T08:48:32+01:00

ATM, I would be happy with either. I will probably use 2 factor however until 1 factor works, I am unconcerned.

network-marvels wrote:

Also, irrespective of single factor or two factor authentication, edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from the “/etc/ssh/sshd_config” file.

We would appreciate if you can make the above mentioned changes and test again.

I know this one fairly well.

ssh 192.168.1.5 -p 32123 -l user
Permission denied (publickey).

I was seeing many comments that yes was required. I did notice on this pass looking at the logs

kcheckpass: pam_unix2(xdm:auth): Unknown option: `try_first_pass`
kcheckpass:pam_unix2(xdm:setcred): Unknown option: `try_first_pass`
sshd: Received signal 15: terminating

I'll look more into that when I wake up again.

Thanks.

To answer OP: Unless you are running your own authentication server then you will be authorizing off Yubico's. For SSH, that shouldn't be too much of an issue (unless their auth server is down). It sounds like you wanted to do it for your main login, there could be issues with that (since your inet reliability comes into play there as to whether you can use your comp)

Someone can correct me if I'm wrong.

Statistics: Posted by betrunkenaffe — Mon Nov 09, 2009 8:48 am

Re: SSH authentication

2009-11-09T08:01:43+01:00

Please let us know if you want to use the Yubico PAM module for two factor authentication or single factor authentication. If you want to use it for two factor then, the top line in the /etc/pam.d/sshd should be:

Code:

auth required pam_yubico.so authfile=/etc/yubikeyauth id=16 debug

instead of

Code:

auth sufficient pam_yubico.so authfile=/etc/yubikeyauth id=16 debug

If you want to use it for single factor authentication then the configuration of the pam file is correct.

Also, irrespective of single factor or two factor authentication, edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from the “/etc/ssh/sshd_config” file.

We would appreciate if you can make the above mentioned changes and test again.

Statistics: Posted by network-marvels — Mon Nov 09, 2009 8:01 am

Re: SSH authentication

2009-11-09T05:52:06+01:00

I don't want to make another post since I am also having issues with setting up the Yubikey for the SSH server.

As per the directions, I compiled all the libraries and moved the pam_yubico.so to /lib/security (if I need to move others, please let me know, instructions didn't state any others needed to move).

I have set it up in /etc/pam.d/sshd at the top as follows:

auth sufficient pam_yubico.so authfile=/etc/yubikeyauth id=16 debug

I created the file /etc/yubikeyauth with the username:id pair I am testing with.

I am using OpenSuse 11.1 so it appears I need to change /etc/pam.d/common-auth to include try_first_pass however it uses pam_unix2.so not pam_unix.so (I did swap to pam_unix.so but didn't solve issue so changed back)

I do have ChallengeResponseAuthentication yes set as well. When I try to connect using SSH I get the following:

ssh 192.168.1.5 -p 32123 -l user
Yubikey for `user':
Read from remote host 192.168.1.5: Connection reset by peer
Connection to 192.168.1.5 closed.

In case this makes a difference, I'm using a 64 bit machine on the client side however the server side is 32 bit. I have not installed any PAM modules or libraries on the client machine either.

Any suggestions for resolving?

Thank you.

UPDATE: It appears that sshd is segfaulting. Looking into it, there is a known issue with servers running 64 bit doing this however I am running 32 bit on the server and 64 bit on the client, could that cause it? My search continues

sshd : segfault at 11 ip b72a770b sp bfe12928 error 4 in libc-2.9.so...

Statistics: Posted by betrunkenaffe — Mon Nov 09, 2009 5:52 am

Re: SSH authentication

2009-09-11T09:41:42+01:00

Hello

first of all, thanks for your help

I've setup my authfile but it seems not to work...

anyway... I have another doubt... what's the id record that appear in the line:

auth sufficient pam_yubico.so id=16 debug authfile=/etc/yubico

for ???

if I'm not wrong, it's related to the yubico autentication server... but... do my machine need
to be always on-line, then ? what's if my network is down and/or yubico server is not reachable ?

best regards

Paolo

Statistics: Posted by iw2lsi — Fri Sep 11, 2009 9:41 am

Re: SSH authentication

2009-09-11T08:07:03+01:00

Please visit the following link which provides step by step guide for configuring the Yubico PAM module for SSH:

http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM

The ID that needs to be stored in the authfile is the YubiKey ID i.e first 12 characters of the OTP generated from the YubiKey.
For example: The YubiKey ID of the YubiKey generating the following OTP will be "vvjgngudlbfe":

Code:

vvjgngudlbfehlnlbficbhkkdifnlkbbretelidlujbi

We hope this helps!

Statistics: Posted by network-marvels — Fri Sep 11, 2009 8:07 am

SSH authentication

2009-09-10T15:46:17+01:00

Hi all

I'm totally new to yubikeys and I'm trying to set my linux box to use them for login...
I've setup my /etc/pam.d/sshd and /etc/ssh/sshd_config for PAM auth
but I don't understand how to setup my authfile:

authfile format should be:

user:id:id

but... what's id ? how can I get it ?

thanks

Paolo

Statistics: Posted by iw2lsi — Thu Sep 10, 2009 3:46 pm