Yubico Forum
https://forum.yubico.com/

PAM error
https://forum.yubico.com/viewtopic.php?f=5&t=453
Page 1 of 1

Author:  Koneko [ Fri Jan 08, 2010 6:22 pm ]
Post subject:  PAM error

I have configured the PAM module via this guide:

viewtopic.php?f=5&t=174

and I am receiving the following error in the debug output:

pam_yubico.c:pam_sm_authenticate(537)] ykclient return value (3): Request signature was invalid (BAD_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(579)] done. [Authentication service cannot retrieve authentication info]

Does anyone know a fix for this?

Thanks,
Koneko

Author:  network-marvels [ Mon Jan 11, 2010 2:19 pm ]
Post subject:  Re: PAM error

We would appreciate if you can provide us the following information:

    1) Details of Operating System (OS name, Kernel Version etc.) where you are configuring the Yubico PAM module
    2) Version of the Yubico PAM module you are trying to configure
    3) The Application details (Version number etc) for which you are configuring the Yubico PAM module
    4) The PAM configuration file of the application (situated in /etc/pam.d directory)
    5) Did you install your own OTP validation server and using it for validating the YubiKey OTP or are you using the online Yubico OTP validation server?

This information will help us debugging the issue you are facing.

Author:  Koneko [ Mon Jan 11, 2010 5:38 pm ]
Post subject:  Re: PAM error

1. Centos / 2.6.18-164.10.1.el5.centos.plus
2. PAM version 2.2
3. Sudo version 1.6.9p17
4.

#%PAM-1.0
auth sufficient /lib/security/pam_yubico.so id=(my id) authfile=/etc/yubikey debug
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

5. I did not install a validation server.

Thanks =)

Author:  network-marvels [ Tue Jan 12, 2010 3:20 pm ]
Post subject:  Re: PAM error

Thank you for providing the valuable information!

We are looking into this and we will update you soon.

Author:  network-marvels [ Wed Jan 13, 2010 11:33 am ]
Post subject:  Re: PAM error

The latest Yubico PAM module has made the use of the API Key mandatory. For more information about the API Key, please visit the following link:

http://www.yubico.com/developers/api/

As you did not mention the API Key parameter with the Yubico PAM module in the PAM configuration file, you were receiving the BAD_SIGNATURE error.

We would appreciate if you can follow the steps listed below and try again:

    1) Create your own Client ID and API Key pair using the following link:

    https://api.yubico.com/get-api-key/

    Enter your email address and YubiKey OTP and click on "Generate API Key". This will generate a new client ID and API Key for you.

    2) In the PAM configuration file, mention the ID and the API Key with the Yubico PAM module as follows:

    auth sufficient pam_yubico.so id=<Your Client id> key=<Your API Key> authfile=/etc/yubikey debug

    For example:

    auth sufficient pam_yubico.so id=3476 key=WHvkp47s6INISPMIIzKNkYDip39I= authfile=/etc/yubikey debug


We hope this helps!

Feel free to write back in case you face any problems or have further queries.

Author:  Koneko [ Wed Jan 13, 2010 4:18 pm ]
Post subject:  Re: PAM error

Great, that took care of the bad signature problem. Now I am reciving this message:

[pam_yubico.c:pam_sm_authenticate(537)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: YKDB
[pam_yubico.c:pam_sm_authenticate(564)] Yubikey not authorized to login as user
[pam_yubico.c:pam_sm_authenticate(579)] done. [Authentication service cannot retrieve authentication info]

Author:  network-marvels [ Thu Jan 14, 2010 9:59 am ]
Post subject:  Re: PAM error

From the error message, it seems that the user name and YubiKey ID mapping is wrong in the mapping file.

We would appreciate if you can make a correct user name and YubiKey ID mapping in the mapping file as follows and try again:

<user name>:<YubiKey ID (First 12 characters of the YubiKey OTP)>

We hope this helps!

Author:  Koneko [ Thu Jan 14, 2010 4:59 pm ]
Post subject:  Re: PAM error

That worked =D

I also had to

chmod g+rw /etc/yubikey

chmod g+s /sbin/yk_chkpwd


Thanks,
Koneko

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/