Yubico Forum ...visit our web-store at 2017-10-31T14:01:13+01:00 https://forum.yubico.com/feed.php?f=3&t=2750 2017-10-31T14:01:13+01:00 2017-10-31T14:01:13+01:00 https://forum.yubico.com/viewtopic.php?t=2750&p=9928#p9928 <![CDATA[Re: PAM issue with YubiCloud on CentOS 7]]> Statistics: Posted by fedorz — Tue Oct 31, 2017 2:01 pm

]]> 2017-10-14T13:33:40+01:00 2017-10-14T13:33:40+01:00 https://forum.yubico.com/viewtopic.php?t=2750&p=9866#p9866 <![CDATA[Re: PAM issue with YubiCloud on CentOS 7]]> Statistics: Posted by fedorz — Sat Oct 14, 2017 1:33 pm

]]> 2017-10-14T07:35:04+01:00 2017-10-14T07:35:04+01:00 https://forum.yubico.com/viewtopic.php?t=2750&p=9864#p9864 <![CDATA[Re: PAM issue with YubiCloud on CentOS 7]]>
Just to confirm you visited (https://upgrade.yubico.com/getapikey/) to receive a id and api key to replace in the following line?
auth required pam_yubico.so id="Replace with ID" key="replace with API Key" authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug


Best Regards,
Matthew
Yubico Support

Statistics: Posted by mattlegitt — Sat Oct 14, 2017 7:35 am

]]> 2017-10-11T17:14:29+01:00 2017-10-11T17:14:29+01:00 https://forum.yubico.com/viewtopic.php?t=2750&p=9852#p9852 <![CDATA[PAM issue with YubiCloud on CentOS 7]]>
I am testing the OTP SSH PAM authentication against the public YubiCloud on CentOS 7 by running a VirtualBox CentOS 7 image.
Once the tests are successful, the plan is to roll this out to our actual servers.

The issue I face that the PAM module fails authenticating, the debug log shows:
Code:
Oct 11 11:42:34 centos_test sshd[1324]: Server listening on 0.0.0.0 port 22.
Oct 11 11:42:34 centos_test systemd: Started OpenSSH server daemon.
Oct 11 11:42:34 centos_test polkitd[619]: Unregistered Authentication Agent for unix-process:1307:25035 (system bus name :1.21, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Oct 11 11:42:47 centos_test sshd[1326]: error: PAM: [color=#0000FF]Authentication service cannot retrieve authentication info for my_user from 127.0.0.1[/color]
Oct 11 11:42:48 centos_test sshd[1326]: Connection closed by 127.0.0.1 port 42490 [preauth]


I don't understand why is it trying 127.0.0.1?

My settings are the following:

/etc/pam.d/sshd:
Code:
  auth required pam_yubico.so id=myid key=mykey authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug


/etc/ssh/sshd_config:
Code:
  PasswordAuthentication no
  ChallengeResponseAuthentication yes


I can manually access the YubiCloud:
Code:
wget -q -O - 'https://api.yubico.com/wsapi/2.0/verify?id=myid&nonce=asdmalksdmlkasmdlkasakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujbikngjrtgh'
h=svSvQsBDOgm9FFyTXjqNXHJiU=
t=2017-10-11T16:11:37Z0347
status=BAD_OTP


Network settings:
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:c6:0f:7d brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
       valid_lft 85120sec preferred_lft 85120sec



What looks odd to me in the debug logs, that is seemingly trying to verify the authentication against 127.0.0.1.

Any idea what might be wrong?

Thanks

Statistics: Posted by fedorz — Wed Oct 11, 2017 5:14 pm

]]>