Yubico Forum

Server Side Software • [Community] - Forum going read only. New KDB on its way.

2018-01-30T09:26:55+01:00

For the security and experience of our user community, we have decided to set the forum as read-only and wipe all user account information. All historical posts and announcements will be archived and remain publicly searchable.

In 2018, we will be publishing a searchable knowledge-base system that allows the community to provide direct feedback on articles and make suggestions that will be reviewed by Yubico staff. We sincerely appreciate the participation of our user forum over the years and hope to continue serving your for years to come.

Statistics: Posted by Tom2 — Tue Jan 30, 2018 9:26 am

Server Side Software • Re: [SOLVED] ErrorCode 1 trying to perform device registrati

2017-12-07T09:34:51+01:00

Thanks to the support of the Yubico team I could solve this problem:

Debugging the class BouncyCastleCrypto I could find out the source of the problem. The following exception was thrown at the line "ecdsaSignature.initVerify(publicKey);":

java.security.InvalidKeyException: No installed provider supports this key: org.bouncycastle.jce.provider.JCEECPublicKey

The source of it was a conflict in the version of BouncyCastle used inside the application (we had a dependent library which depended on an older version of BC). Fixing the dependencies solved the problem.

Thanks a lot for your precious help and best regards.
Patrick

Statistics: Posted by patrickherber — Thu Dec 07, 2017 9:34 am

Server Side Software • Re: [QUESTION] ErrorCode 1 trying to perform device registra

2017-12-05T16:50:15+01:00

Hello,
the problem I had yesterday was probably related to my Ubuntu PC.
I've tried now using a MacOS and it works fine.
However when I try to register in my application (where for the moment I've simply used the sample code provided in your example) I get a "Bad signature" error message during the finishRegistration method:

Code:

com.yubico.u2f.exceptions.U2fBadInputException: Bad signature
   at com.yubico.u2f.crypto.BouncyCastleCrypto.checkSignature(BouncyCastleCrypto.java:45)
   at com.yubico.u2f.crypto.BouncyCastleCrypto.checkSignature(BouncyCastleCrypto.java:31)
   at com.yubico.u2f.data.messages.key.RawRegisterResponse.checkSignature(RawRegisterResponse.java:97)
   at com.yubico.u2f.U2fPrimitives.finishRegistration(U2fPrimitives.java:89)
   at com.yubico.u2f.U2F.finishRegistration(U2F.java:81)
   at com.yubico.u2f.U2F.finishRegistration(U2F.java:67)
   at U2FManager.finishRegistration(U2FManager.java:82)

The RegisterResponse and RegisterRequestData seem correct...

What could be the cause of this problem?

Thanks and best regards

Statistics: Posted by patrickherber — Tue Dec 05, 2017 4:50 pm

Server Side Software • [QUESTION] ErrorCode 1 trying to perform device registration

2017-12-04T14:27:41+01:00

Hello
I'm trying to integrate U2F authentication in our web application using the sample code you provide.
Both on our application than with your u2flib-server-demo application when I try to perform a registration I get following error message:

Code:

{"errorCode":1,"errorMessage":"device status code: -200"}

What could be its reason?

I'm performing the tests on Ubuntu 14.04 using Chrome version 63.0.3239.59 and a Yubikey NEO

Thanks a lot for your support and best regards

Patrick

Statistics: Posted by patrickherber — Mon Dec 04, 2017 2:27 pm

Server Side Software • ykval-queue:synclib:Timeout.

2017-06-27T21:32:12+01:00

I been trying to setup ssl syncing between validation servers and so far have had no luck.

I've created certificates for both servers using openssl.
I then added the certificate to the /etc/ssl/certs/ca-certificates.crt for both servers. This fixed the issue of me calling curl and getting a cert error. I thought everything would be working now, since I could manually call a sync and get a good status, but logged onto the mysql dabase and saw my queue was full. I then checked /var/log/syslog and saw the following error:
Jun 27 15:22:38 testval1 ykval[3982]: LOG_DEBUG:ykval-queue:synclib:handle indicated to be for https://testval2/wsapi/2.0/sync.
Jun 27 15:22:38 testval2 ykval[3982]: LOG_NOTICE:ykval-queue:synclib:Timeout. Stopping queue resync for server https://testval2/wsapi/2.0/sync

If i call curl directly using:
curl 'https://testval2/wsapi/2.0/sync?otp=&modified=&yk_publicname=yk_counter=5&yk_use=5&yk_high=229&yk_low=52183&nonce=,local_counter=5&local_use=4'

The status comes back as OK.

Any help would be appreciated.

Update:
My current work around until I can get a better fix is to set verifypeer to false in the curl options:

Code:

$baseParams['__YKVAL_SYNC_CURL_OPTS__'] = array(
        CURLOPT_SSL_VERIFYPEER => false
);

What I found was it appears I'm getting a CURLE_SSL_CACERT error from ykval-queue. I created a simple test.php to debug this with the following:

Code:

$urls = array(
   "https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1",
   "http://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzd&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1"
);

$mh = curl_multi_init();

var_dump('start');
foreach ($urls as $i => $url) {
    $conn[$i] = curl_init($url);
    curl_setopt($conn[$i], CURLOPT_RETURNTRANSFER, 1);
//    curl_setopt($conn[$i], CURLOPT_CAPATH, "/etc/ssl/certs/");
//    curl_setopt($conn[$i], CURLOPT_CAINFO, "/etc/ssl/certs/ca-certificates.crt");
    curl_setopt($conn[$i], CURLOPT_CAINFO, "/test/blah.pem");
//    curl_setopt($conn[$i], CURLOPT_SSL_VERIFYPEER, 0);
    curl_multi_add_handle($mh, $conn[$i]);
}

var_dump('doloop');
do {
    $status = curl_multi_exec($mh, $active);
    $info = curl_multi_info_read($mh);
    if (false !== $info) {
        var_dump($info);
    }
} while ($status === CURLM_CALL_MULTI_PERFORM || $active);

var_dump('another loop');
foreach ($urls as $i => $url) {
    $res[$i] = curl_multi_getcontent($conn[$i]);
    curl_close($conn[$i]);
}

var_dump('enddump');
var_dump(curl_multi_info_read($mh));

?>

Which gives me the following:

Code:

string(5) "start"
string(6) "doloop"
array(3) {
  ["msg"]=>
  int(1)
  ["result"]=>
  int(60) <--- HERE IS THE CURLE_SSL_CACERT ERROR
  ["handle"]=>
  resource(5) of type (curl)
}
array(3) {
  ["msg"]=>
  int(1)
  ["result"]=>
  int(0)
  ["handle"]=>
  resource(6) of type (curl)
}
string(12) "another loop"
string(7) "enddump"
bool(false)

So my manual example is as follows, i moved my certificate out of the /etc/ssl/certs/ca-certificates.crt file to just a /test/blah.pem file, and get the following:

Code:

curl 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1'
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

And pointing to the cert:

Code:

 curl --cacert blah.pem 'https://testval2/wsapi/2.0/verify?id=1&nonce=sopxxrlklguqquyvbkwwqthyvofukjzc&otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr×tamp=1'
h=RoeWTtwokPc0wbIQ17rOqHrGux8=
t=2017-06-29T15:15:08Z0971
otp=llkddjeccccckgvidcnbhhjvbvuicbdjnhblitfhvlfr
nonce=sopxxrlklguqquyvbkwwqthyvofukjzc
status=REPLAYED_OTP

For some reason calling curl from command line with the certificate in /etc/ssl/certs/ca-certificates.crt file has no issue. It will automatically pickup the cert, but the ykval-queue and test.php for some reason is having issues with the cert. I tried setting some curl_opts to specify the cert, but had no luck with those.

Again any help would be appreciated, as I don't think setting the verifypeer option to false is a great work around.

Statistics: Posted by nitmpez715 — Tue Jun 27, 2017 9:32 pm

Server Side Software • Re: Yubico PAM Module issues

2017-05-12T10:40:36+01:00

Hey guys

How can I make the yubikey pam module logging my used otp?
I don't get the pam yubikey debug information at all. Only the usual sshd debug information.

Thank you in advance.

Cheers,
Chris

Statistics: Posted by cdrescher — Fri May 12, 2017 10:40 am

Server Side Software • [Q] Variable response from OTP challenge w fixed config

2017-03-23T17:28:59+01:00

I'm working on a Qt5 with Win32 project on Win7 using VS2010. I need to implement a simple OTP configuration on our YubiKeys such that they all have a fixed secret key that identifies the YubiKey as a known key. I have gotten to the point where after importing the YubiClientAPI.dll library, I am able to detect if a key is inserted, get the key's serial#, perform an OTP challenge/response, and get current buffer. The results seem to complement the results I get when I run the "Sample YubiClientAPI MFC test container" application compiled from the Samples folder.

I have a couple things that I need to figure out about using the API in order to complete my project. But the most important question I have is that, since my secret 16 byte key is constant on the YubiKey, and I keep getting back different byte strings every time I do a challenge, what do I do on the client end to get a constant expected string back that I can use for recognition. I am assuming that there is something I'm doing wrong. In the code below, you will see that I am randomizing the challenge string (see comment starting with "NOTE:"). I have also commented the randomization out so that the challenge string is all zeroes. Doesn't make a difference in the variability of the response string.

I am also not sure how the "Private Identity 6 byte Hex" field is used in the authentication process? Read the documentation, and I see when I run the "YubiKey Personalization Tool" that I can set that, but don't know how that affects the resulting response I get, and what it has to do with my client-side authentication process.

If anyone can just give me an indication of what I should be looking at to figure this out, I would be very grateful.

Code:

#include 
#include 

// NOTE: import done in header file
//#import  no_namespace, named_guids

#define RESPONSE_LENGTH 16
#define CHALLENGE_LENGTH 6
#define CONFIG1 0
#define CONFIG2 1

TestingYubikeyAPI::TestingYubikeyAPI(QWidget *parent)
    : QMainWindow(parent)
{
    ui.setupUi(this);

   HRESULT hr = CoCreateInstance(CLSID_YubiClient, 0, CLSCTX_ALL, IID_IYubiClient, reinterpret_cast(&m_yubiClient));

   if (FAILED(hr))
    {
      _com_error er(hr);
        setValid(false);
   }
    else
        setValid(true);
    
    QObject::connect(ui.m_getOtpConf1PushButton, &QPushButton::clicked, this, &TestingYubikeyAPI::onGetOtpConfig1Clicked);
}

void TestingYubikeyAPI::onGetOtpConfig1Clicked()
{
    BYTE challenge[CHALLENGE_LENGTH];
    BYTE response[RESPONSE_LENGTH];
    memset(challenge, 0, sizeof(challenge));
    memset(response, 0, sizeof(response));
    
    // NOTE: randomizing challenge
    BCryptGenRandom(NULL, challenge, CHALLENGE_LENGTH, BCRYPT_USE_SYSTEM_PREFERRED_RNG);

    variant_t va;
    std::ostringstream os;
    std::stringstream os2;
    os << std::hex << std::setfill('0');
    for (DWORD i = 0; i < CHALLENGE_LENGTH; i++)
    {
        os << std::setw(2) << (int)challenge[i];
    }
    _bstr_t bstr(os.str().c_str());

    TCHAR buf[1024];
    va.bstrVal = bstr;
    va.vt = VT_BSTR;
    m_yubiClient->PutdataEncoding(ycENCODING_BYTE_ARRAY);
    m_yubiClient->PutdataBuffer(va);
    ycRETCODE ret = m_yubiClient->GetotpChallenge(CONFIG1, ycCALL_BLOCKING);
   
    if (ret == ycRETCODE_OK)
    {
        getCurrentBuffer(challenge, 64);
    }
    else
    {
        ui.m_outputTextEdit->append(QString("Got No Data: retcode = %1").arg(translateRetCode(ret)));
    }
}

void TestingYubikeyAPI::getCurrentBuffer(BYTE* pChallenge, int len)
{
    BYTE HUGEP *pb;
    long lbound, hbound;
    QString outstr;
    
    SafeArrayGetLBound(m_yubiClient->dataBuffer.parray, 1, &lbound);
    SafeArrayGetUBound(m_yubiClient->dataBuffer.parray, 1, &hbound);
    SafeArrayAccessData(m_yubiClient->dataBuffer.parray, (void **)&pb);

    for (; lbound <= hbound; lbound++)
    {
        outstr = QString("%1%2 ").arg(outstr).arg((uint)pb[lbound], 2, 16, QLatin1Char('0'));
    }
    
    SafeArrayUnaccessData(m_yubiClient->dataBuffer.parray);
    ui.m_outputTextEdit->append(QString("Got Data: %1").arg(outstr));
}

Statistics: Posted by bmahf — Thu Mar 23, 2017 5:28 pm

Server Side Software • Re: Problems generating keys for YK-KSM

2017-03-19T06:43:43+01:00

Solved...

Create ~/.gnupg/gpg-agent.conf and add this one line:

Code:

max-cache-ttl 0

Statistics: Posted by drcheese — Sun Mar 19, 2017 6:43 am

Server Side Software • Re: Problems generating keys for YK-KSM

2017-03-19T06:16:33+01:00

Okay, so that was quick. I have half of my solution.

Basically the gpg2 does not allow forcing entry of the passphrase all the time so you have to cache it somehow. I did this by creating a dummy file called test.txt and creating a signature for it via the command:

Code:

gpg --clearsign test.txt

That caused the passphrase prompt:

Code:

   lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
   x Please enter the passphrase to unlock the secret key for the OpenPGP  x
   x certificate:                                                          x
   x "YK-KSM Import Key"                                                   x
   x 2048-bit RSA key, ID XXXXXXXX,                                        x
   x created 2017-03-19.                                                   x
   x                                                                       x
   x                                                                       x
   x Passphrase __________________________________________________________ x
   x                                                                       x
   x                                                           x
   mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

However this did not fix the importer issue where it did not prompt for the passphrase a second time. Any help on this? I can't seem to get around this issue.

Statistics: Posted by drcheese — Sun Mar 19, 2017 6:16 am

Server Side Software • [SOLVED] Problems generating keys for YK-KSM

2017-03-19T06:44:16+01:00

So I have a gpg key generated per the tutorial here: https://developers.yubico.com/yubikey-ksm/Generate_KSM_Key.html

However gpg does not request my passphrase when I try to generate KSM keys via:

Code:

ykksm-gen-keys --urandom 1 5 | gpg -a --encrypt -r XXXXXXXX -s > keys.txt

The output ends as follows:

Code:

gpg: cancelled by user
gpg: no default secret key: Operation cancelled
gpg: [stdin]: sign+encrypt failed: Operation cancelled

I found a possible workaround by using the following:

Code:

gpg -r XXXXXXXX--output keys.txt.gpg --encrypt keys.txt

But then the importer gives me a similar error, expecting a passphrase to unlock the secret key and it never prompting for one:

Code:

[GNUPG:] ENC_TO XXXXXXXXXXXXXXXX 1 0
[GNUPG:] USERID_HINT XXXXXXXXXXXXXXXX YK-KSM Import Key
[GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXXXX YYYYYYYYYYYYYYYYYYY 1 0
gpg: cancelled by user
[GNUPG:] MISSING_PASSPHRASE
gpg: encrypted with 2048-bit RSA key, ID ZZZZZZZZZ, created 2017-03-19
      "YK-KSM Import Key"
gpg: public key decryption failed: Operation cancelled
[GNUPG:] ERROR pkdecrypt_failed 99
[GNUPG:] BEGIN_DECRYPTION
[GNUPG:] DECRYPTION_FAILED
gpg: decryption failed: No secret key
[GNUPG:] END_DECRYPTION
encrypted to: XXXXXXXXXXXXXXXX 
signed by:
Input not signed? at /usr/bin/ykksm-import line 122.

I realize this may be a specific issue with gpg2 configuration in CentOS 7, but thought someone else may have run into this issue too. Any help is greatly appreciated.

Statistics: Posted by drcheese — Sun Mar 19, 2017 6:03 am

Server Side Software • [Q?] OpenVPN\yubico\LDAP stack smash det: openvpn terminated

2017-01-24T18:51:26+01:00

Hello Guys
I have installed OpenVPN with your pam_yubico Module as suggested at https://developers.yubico.com/yubico-pam/ on a fresh installed Ubuntu Server 16.04 LTS and now the OpenVPN crashes every time a user wants to connect since i have added the account line in the PAM Configuration-file for OpenVPN.
before the setup works fine with my own account which is present at the local machine, now i wanted a test with a new testing user and discovered that the account required line is needed. So i added it and now it's crashing the openVPN... any suggestions why this happens?

My Config-Files are
/etc/openvpn/server.conf

Code:

[...]
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

/etc/pam.d/openvpn

Code:

auth required pam_yubico.so id= \
        yubi_attr= \
        capath=/etc/ssl/certs \
        ldap_uri=ldap://ad.intern.dc.de/ \
        ldapdn=ou=worker,dc=intern,dc=dc,dc=de \
        ldap_bind_user=user@intern.dc.de ldap_bind_password= \
        ldap_filter=(&(sAMAccountName=%u)(memberOf=CN=group,OU=worker,DC=intern,DC=dc,DC=de)) \
        try_first_pass
account required pam_yubico.so

And the corresponding logfile-lines are

Code:

[../pam_yubico.c:authorize_user_token_ldap(286)] try bind with: user@intern.dc.de:[]
[../pam_yubico.c:authorize_user_token_ldap(319)] LDAP : look up object base='ou=worker,dc=intern,dc=dc,dc=de' filter='(&(sAMAccountName=vpnuser)(memberOf=CN=group,OU=worker,DC=intern,DC=dc,DC=de))', ask for attribute ''
[../pam_yubico.c:authorize_user_token_ldap(355)] LDAP : Found 1 values - checking if any of them match '::'
[../pam_yubico.c:authorize_user_token_ldap(362)] Token Found :: 
[../pam_yubico.c:pam_sm_authenticate(1095)] done. [Success]
[../pam_yubico.c:pam_sm_acct_mgmt(1128)] pam_sm_acct_mgmt returing PAM_SUCCESS
*** stack smashing detected ***: /usr/sbin/openvpn terminated

Statistics: Posted by NorbertR — Tue Jan 24, 2017 6:51 pm

Server Side Software • IMAP auth through PAM problem

2016-12-15T23:12:38+01:00

I've successfully deployed yubikey authentication for SSH (and sudo tested so far) on Debian jessie. The PAM config line is as follows:

Code:

auth    required        pam_yubico.so mode=client try_first_pass id=REDACTED debug debug_file=/var/log/yk.log key=REDACTED

I tried to login to the IMAP the same way as to SSH (password + yubikey OTP) as it uses the same auth config but it fails:

Code:

Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(830)] get user returned: REDACTED
Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(851)] get password returned: (null)
Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(997)] OTP: REDACTED ID: REDACTED
Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (109): Error performing curl
Dec 15 22:57:12 vps172042 dovecot: auth-worker: Error: [../pam_yubico.c:pam_sm_authenticate(1091)] done. [Authentication service cannot retrieve authentication info]

I can't see why the same PAM sometimes works (SSH, sudo) and sometimes fails with curl error. Any ideas?

Statistics: Posted by plum — Thu Dec 15, 2016 11:12 pm

Server Side Software • Re: YKVAL+YKKSM+YKPAM+LDAP -> "BAD_SERVER_SIGNATURE"

2016-11-04T13:03:53+01:00

Scratching the test client and starting from zero again fixed it nicely. Probably some residual state somewhere from hours of experimenting.

Statistics: Posted by oyla — Fri Nov 04, 2016 1:03 pm

Server Side Software • Re: YKVAL+YKKSM+YKPAM+LDAP -> "BAD_SERVER_SIGNATURE"

2016-11-03T17:32:04+01:00

Digging further, I only now notice (I blame a full brain) that only ykclient runs show up in the ykval server access logs - the PAM module does not even contact the validation server at all. Tcpdump comparing ykclient vs. PAM module runs further confirm this.

I am at this point somewhat less than favourably impressed at the logging facilities of the PAM module.

Statistics: Posted by oyla — Thu Nov 03, 2016 5:32 pm

Server Side Software • YKVAL+YKKSM+YKPAM+LDAP -> "BAD_SERVER_SIGNATURE"

2016-11-03T16:10:35+01:00

I run Ubuntu 14.04. I've installed the KSM and VAL services and managed to get them to work with ykclient from the client.

I've also tested LDAP by using the YubiCloud service for one of my keys, in which the PAM module looked up the Yubikey ID for each user using the standard Yubikey LDAP schema from https://github.com/mludvig/yubikey-ldap. This authentication methid worked.

ykclient is perfectly capable of validating keys and KSM and VAL are working as intended.

However I can not make yubico_pam.so authenticate using the same parameters as I use for ykclient when I combine VAL verification and LDAP lookups. I am convinced the fault here is not in the LDAP end of things, but rather in (another) undocumented feature of the KSM/VAL chain.

I use this line in /etc/pam.d/sshd:

Code:

auth required pam_yubico.so id=1 key= = urllist=http:// ldap_uri=ldap:// ldapdn= user_attr=cn yubi_attr=yubiKeyId token_id_length=12 ldapcacertfile=/ mode=client debug

The debug log outputs this for an attempted authentication:

Code:

[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 1 argc 11
[../pam_yubico.c:parse_cfg(764)] argv[0]=id=1
[../pam_yubico.c:parse_cfg(764)] argv[1]=key=
[../pam_yubico.c:parse_cfg(764)] argv[2]=urllist=
[../pam_yubico.c:parse_cfg(764)] argv[3]=ldap_uri=
[../pam_yubico.c:parse_cfg(764)] argv[4]=ldapdn=
[../pam_yubico.c:parse_cfg(764)] argv[5]=user_attr=cn
[../pam_yubico.c:parse_cfg(764)] argv[6]=yubi_attr=yubiKeyId
[../pam_yubico.c:parse_cfg(764)] argv[7]=token_id_length=12
[../pam_yubico.c:parse_cfg(764)] argv[8]=ldapcacertfile=
[../pam_yubico.c:parse_cfg(764)] argv[9]=mode=client
[../pam_yubico.c:parse_cfg(764)] argv[10]=debug
[../pam_yubico.c:parse_cfg(765)] id=1
[../pam_yubico.c:parse_cfg(766)] key=
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=0
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=(null)
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=ldap://
[../pam_yubico.c:parse_cfg(775)] ldapdn=
[../pam_yubico.c:parse_cfg(776)] user_attr=cn
[../pam_yubico.c:parse_cfg(777)] yubi_attr=yubiKeyId
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=client
[../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: oyla
[../pam_yubico.c:pam_sm_authenticate(929)] conv returned 56 bytes
[../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 12 bytes. Length is 56, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(954)] OTP:  ID: 
[../pam_yubico.c:pam_sm_authenticate(969)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (107): Server response signature was invalid (BAD_SERVER_SIGNATURE)
[../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication service cannot retrieve authentication info]
^C

I find it rather odd that ykclient works while the PAM module does not. The values are all the same. I tried the Ubuntu-supplied PAM module from APT as well as building my own from Git, with no luck. Any idea where to start? I didn't even know there was a server key to begin with, but then again, this wouldn't be my first time being surprised at something missing from the Yubico docs.

Thanks for any input.

Statistics: Posted by oyla — Thu Nov 03, 2016 4:10 pm