Yubico Forum

Re: Using the latest pam_yubico module

2008-09-12T15:36:16+01:00

See below. By breaking off the password, I mean that the token and password are being separated correctly.

Can you post your working config? Thanks.

[pam_yubico.c:pam_sm_authenticate(217)] called.
[pam_yubico.c:pam_sm_authenticate(218)] flags 1 argc 2
[pam_yubico.c:pam_sm_authenticate(220)] argv[0]=id=269
[pam_yubico.c:pam_sm_authenticate(220)] argv[1]=debug
[pam_yubico.c:pam_sm_authenticate(221)] id=269
[pam_yubico.c:pam_sm_authenticate(222)] debug=1
[pam_yubico.c:pam_sm_authenticate(223)] alwaysok=0
[pam_yubico.c:pam_sm_authenticate(224)] authfile=(null)
[pam_yubico.c:pam_sm_authenticate(235)] get user returned: modus
[pam_yubico.c:pam_sm_authenticate(245)] get password returned: (null)
[pam_yubico.c:pam_sm_authenticate(275)] conv returned: [password]bcbtkuvenfnhugcggjhctrcclhuvcfiebcfjvdljjggj
[pam_yubico.c:pam_sm_authenticate(321)] Token is : bcbtkuvenfnhugcggjhctrcclhuvcfiebcfjvdljjggj and password is [password]
[pam_yubico.c:pam_sm_authenticate(322)] Token ID is: bcbtkuvenfnh
[pam_yubico.c:check_user_token(112)] Got user record :: modus:bcbtkuvenfnh
[pam_yubico.c:check_user_token(119)] Token Found :: bcbtkuvenfnh
[pam_yubico.c:pam_sm_authenticate(356)] libyubikey-client return value (0): Success
[pam_yubico.c:pam_sm_authenticate(377)] done. [Success]

Statistics: Posted by pmk — Fri Sep 12, 2008 3:36 pm

Re: Using the latest pam_yubico module

2008-09-11T23:40:56+01:00

pmk wrote:

Simon:

I've been unable to make the multifactor in pam_yubico_1.7 work correctly. With the auth section of my /etc/pam.d/sshd setup like this:

auth required /usr/local/lib/security/pam_yubico.so id=269 debug
auth required pam_stack.so service=system-auth

Authentication requests always fail. pam-debug.log shows that the password is being properly broken off from the token and that the token auth is working fine. But the login never succeeds.

What was your guys' two-factor test setup?

Hi, pmk, can you share the pam-debug.log and explain what do you mean by password broken off? Someone here in Yubico will be helping on this issue asap.

Thanks

Statistics: Posted by paul — Thu Sep 11, 2008 11:40 pm

Re: Using the latest pam_yubico module

2008-09-02T14:50:15+01:00

Statistics: Posted by pmk — Tue Sep 02, 2008 2:50 pm

Re: Using the latest pam_yubico module

2008-09-02T10:52:49+01:00

The latest official pam_yubico release 1.7 should have similar functionality in it, and documentation how to set this up are available from:

http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM

It doesn't use recursive PAM queries, but retain the password-part of the entered information for later PAM modules to verify.

If anyone has tested this and Dion's work and can compare it, that would be helpful. We are trying to make our pam module support all features. The code we have merged came from a different author than Dion, but they have now stopped improving with it, so if Dion wants to resume with our current code it will be easier for us to merge the code.

/Simon

Statistics: Posted by Simon — Tue Sep 02, 2008 10:52 am

Re: Using the latest pam_yubico module

2008-09-01T15:23:44+01:00

pmk wrote:

Code:

auth sufficient pam_stack.so service=system-auth

Please note that pam_stack.so has been obsoleted by the include directive.

Cheers,
Klaus

Statistics: Posted by kseistrup — Mon Sep 01, 2008 3:23 pm

Using the latest pam_yubico module

2008-09-01T04:16:55+01:00

All:

Dion has published his latest version of the pam_yubico module. This version supports mapping yubikey IDs to users and eliminates some static buffers that the Yubico folks weren't happy with.

So you can finally authenticate users safely for SSH and other services via PAM (including PAM-capable RADIUS servers), without worrying that anyone with a yubikey could access your system. This is great news and means that we'll be able to start replacing our Cryptocards with Yubikeys in the near future.

Right now, the module doesn't come with great docs, so I figured I'd document how I got it working on my servers. Here's the drill:

Compile and install the latest Yubikey C client from http://code.google.com/p/yubico-c-client/downloads/list (I used 1.2)
Check out the latest pam_yubico code (svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam-read-only). I used r38.
Configure, compile and install pam_yubico.so. I used ./configure --with-libyubikey-client-prefix=/usr/local, but you may need to point it somewhere else, if your yubikey libraries are elsewhere.
Get a Yubico API ID at https://api.yubico.com/get-api-key/.
Modify the pam configuration for your sshd to add pam_yubico.so. On CentOS/RHEL, you can do this globally by editing /etc/pam.d/system-auth or you can edit the specific service you want to test with. For my test, I only modified /etc/pam.d/sshd. You need to add a line that reads
Code:
auth sufficient /usr/local/lib/security/pam_yubico.so id=xxx debug
and change the xxx to your API ID. If you want to continue to allow password-based authentication (highly recommended for testing), change other auth lines that do authentication (on CentOS/RHEL, the call to system-auth) to sufficient as well. Here's what my sshd looked like after I got done editing it:
Code:
auth sufficient /usr/local/lib/security/pam_yubico.so id=269 debug
auth sufficient pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
If you don't plan to use two-factor authentication (a user-entered PIN/password, in addition to the yubikey output), add yubikeyonly=1 to the pam_yubico.so line.
If you _do_ plan to use two-factor authentication, create a pam service called yubikey-multifactor with a single auth line, that calls the appropriate authentication service for the PIN/password. On my system, this looks like this:
Code:
auth required pam_stack.so service=system-auth
Create a file in $HOME/.yubikey/ called authorized_keys that contains your Yubikey IDs, separated by newlines. A newline is _required_ even if you only have a single Yubikey
Create a file called /tmp/pam-debug.log and chmod it to 666, so you can see debug output emitted by the yubico module. This is recommended for testing, but this file should be deleted once testing is complete, as it will contain sensitive information.
Try to login! If you are using two-factor authentication, you should enter your normal UNIX password, then hit the button on your yubikey. If you are only using one-factor authentication, just pressing the yubikey will be enough.
If you make it in, congrats! You're ready to go. If not, check /tmp/pam-debug.log and see what happened.
Don't forget to delete /tmp/pam-debug.log!

There are other tricks you can do (define a global list of valid IDs in /etc/yubico-pam.conf, use an options file to control two-factor auth on a user-by-user basis (not sure this is the best idea, if not globally override-able)) so check out the source for more details.

I hope this helps someone. And thanks to Dion for the great work!

Statistics: Posted by pmk — Mon Sep 01, 2008 4:16 am