Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Oct 17, 2017 12:22 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Wed Oct 11, 2017 5:14 pm 
Offline

Joined: Wed Oct 11, 2017 4:59 pm
Posts: 2
Hi,

I am testing the OTP SSH PAM authentication against the public YubiCloud on CentOS 7 by running a VirtualBox CentOS 7 image.
Once the tests are successful, the plan is to roll this out to our actual servers.

The issue I face that the PAM module fails authenticating, the debug log shows:
Code:
Oct 11 11:42:34 centos_test sshd[1324]: Server listening on 0.0.0.0 port 22.
Oct 11 11:42:34 centos_test systemd: Started OpenSSH server daemon.
Oct 11 11:42:34 centos_test polkitd[619]: Unregistered Authentication Agent for unix-process:1307:25035 (system bus name :1.21, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Oct 11 11:42:47 centos_test sshd[1326]: error: PAM: [color=#0000FF]Authentication service cannot retrieve authentication info for my_user from 127.0.0.1[/color]
Oct 11 11:42:48 centos_test sshd[1326]: Connection closed by 127.0.0.1 port 42490 [preauth]


I don't understand why is it trying 127.0.0.1?

My settings are the following:

/etc/pam.d/sshd:
Code:
  auth required pam_yubico.so id=myid key=mykey authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug


/etc/ssh/sshd_config:
Code:
  PasswordAuthentication no
  ChallengeResponseAuthentication yes


I can manually access the YubiCloud:
Code:
wget -q -O - 'https://api.yubico.com/wsapi/2.0/verify?id=myid&nonce=asdmalksdmlkasmdlkasakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujbikngjrtgh'
h=svSvQsBDOgm9FFyTXjqNXHJiU=
t=2017-10-11T16:11:37Z0347
status=BAD_OTP


Network settings:
Code:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:c6:0f:7d brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
       valid_lft 85120sec preferred_lft 85120sec



What looks odd to me in the debug logs, that is seemingly trying to verify the authentication against 127.0.0.1.

Any idea what might be wrong?

Thanks


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sat Oct 14, 2017 7:35 am 
Offline
Yubico Moderator
Yubico Moderator

Joined: Tue Jan 05, 2016 5:03 pm
Posts: 24
Hello fedorz,

Just to confirm you visited (https://upgrade.yubico.com/getapikey/) to receive a id and api key to replace in the following line?
auth required pam_yubico.so id="Replace with ID" key="replace with API Key" authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug


Best Regards,
Matthew
Yubico Support


Top
 Profile  
Reply with quote  
PostPosted: Sat Oct 14, 2017 1:33 pm 
Offline

Joined: Wed Oct 11, 2017 4:59 pm
Posts: 2
Yes, that is correct, that is where I got the id and key I am using.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group