Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:28 pm

All times are UTC + 1 hour

Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Tue Mar 16, 2010 9:59 pm 

Joined: Mon Mar 15, 2010 11:34 pm
Posts: 11

I have just spent almost 3 hours trying go get the pam_yubico.so PAM module to work, but I had no luck.

Basically, I enter my OTP and the log file looks like everything went ok, but I don't get logged in.

I have tried both single and two-form factor form authentication, but I don't really think this it's a problem.

I guess it's something to do with the yk_chkpwd binary or the pam module itself.

My configuration:

System: Ubuntu 9.10 x64
Yubikey: Yubikey 2.0 (yes I know it does not matter, but just for the sake of completeness :P)

The correct user account name and 12 char id is located in the ~/.yubico/authorized_yubikeys file (I have also tried the authfile method, but I don't really think this is the problem).

The correct secret key is placed in the pam config file.

Here is the output from the logfile:

[pam_yubico.c:check_user_token(117)] Authorization line: kami:xxx
[pam_yubico.c:check_user_token(121)] Matched user: kami
[pam_yubico.c:check_user_token(125)] Authorization token: xxxx
[pam_yubico.c:check_user_token(128)] Match user/token as kami/xxxx
[pam_yubico.c:pam_sm_authenticate(594)] done. [Success]
[pam_yubico.c:parse_cfg(381)] called.
[pam_yubico.c:parse_cfg(382)] flags 8 argc 4
[pam_yubico.c:parse_cfg(384)] argv[0]=authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(384)] argv[1]=id=3914
[pam_yubico.c:parse_cfg(384)] argv[2]=key=XXX
[pam_yubico.c:parse_cfg(384)] argv[3]=debug
[pam_yubico.c:parse_cfg(385)] id=3914
[pam_yubico.c:parse_cfg(386)] key=XXX
[pam_yubico.c:parse_cfg(387)] debug=1
[pam_yubico.c:parse_cfg(388)] alwaysok=0
[pam_yubico.c:parse_cfg(389)] try_first_pass=0
[pam_yubico.c:parse_cfg(390)] use_first_pass=0
[pam_yubico.c:parse_cfg(391)] authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(392)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(393)] ldapdn=(null)
[pam_yubico.c:parse_cfg(394)] user_attr=(null)
[pam_yubico.c:parse_cfg(395)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(615)] retval: 0
[pam_yubico.c:pam_sm_setcred(635)] done. [Success]

As you can see, everything looks fine.

EDIT: I have just check the log file and it's like I have predicted - it's segfault-ing:

Mar 16 20:50:25 kami-laptop kernel: [22998.637336] gnome-screensav[24361]: segfault at 150 ip 00007f422d22fbe1 sp 00007f421f8f7e50 error 6 in libpam.so.0.82.1[7f422d22d000+c000]

Any help would be more then appreciated.


Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Mar 17, 2010 9:46 am 
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
We would appreciate if you can provide us the following information:

    1) Operating system: Are you using Ubuntu Server 9.10 or Ubuntu Desktop 9.10?
    2) Which application are you configuring for YubiKey based two factor authentication?
    3) Corresponding PAM file (located in /etc/pam.d/ directory) for your application

Reply with quote  
PostPosted: Wed Mar 17, 2010 12:07 pm 

Joined: Mon Mar 15, 2010 11:34 pm
Posts: 11
Sure, even tough I'm still pretty sure the problem is not related to the configuration (as you can see from the log file) :)

1. I'm using Ubuntu desktop 9.10 x64 (Linux kami-laptop 2.6.31-20-generic #57-Ubuntu SMP Mon Feb 8 09:02:26 UTC 2010 x86_64 GNU/Linux)

2. It doesn't matter, I have tried configuring it for the gnome-screensaver, sshd, login or even for all of them (common-auth).

3. Here is the content of, for example, the gnome-screensaver PAM config file (but like I have previously said, I have tried all the combinations which make sense...):

@include common-auth
auth sufficient pam_yubico.so authfile=/etc/yubikeyid id=xxxx key=zzz debug
auth optional pam_gnome_keyring.so

It also does not matter if I change the order (put the pam_yubico.so line above the include) or disable the include of the common-auth file.

I'll probably have more time during the weekend and I will be able to try some other PAM modules and maybe try to write my own PAM module in Python using python-pam (yes, I know that that is not very efficient) and I will see if this one works (as I have feeling that the problem is related to the yubico PAM module).


Reply with quote  
PostPosted: Wed Mar 17, 2010 11:18 pm 

Joined: Mon Mar 15, 2010 11:34 pm
Posts: 11
Since I couldn't get the C module to work, I wrote my own PAM module in Python using pam-python (http://ace-host.stuart.id.au/russell/files/pam_python/).

I know that using Python for a PAM module is not really the best and most efficient way, but it should serve me (and probably some other users who have problems with the original C extension) well.

The code for the extension is located on: http://github.com/Kami/yubico-pam-module

Keep in mind that this is a first release which is not yet fully feature-complete and it could break (basic functionally should work fine though)

I do plan to finish it up so it will be totally compatible with the original C extension and create a new branch with some extra features which I (and maybe someone else will) find useful (offline authentication is one of them for sure).

P.S. If you think this should go in a new thread, feel free to merge my post into a new thread :)

Reply with quote  
PostPosted: Sat Apr 17, 2010 4:19 pm 

Joined: Tue Nov 25, 2008 7:24 am
Posts: 2
This is the 5 minute solution I used:


Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 2 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group