Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:35 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Mon Jul 20, 2015 5:40 pm 
Offline

Joined: Mon Jul 20, 2015 5:20 pm
Posts: 2
Using libpam-yubico from the PPA, I've been able to set up my Linux Mint 17 box to require Yubico OTP authentication when logging into the local console. That all works perfectly.

I can't get it to work in challenge-response mode, though. I've commented out the Yubico OTP line in /etc/pam.d/login and put the following in immediately after it:

Code:
auth required pam_yubico.so mode=challenge-response debug


I've configured slot 2 to HMAC-SHA1, both via the GUi and command line config tools - in the latter case by a copy and paste of the instructions on GitHub, to avoid any misconfiguration. I've used the ykpamcfg tool to generate an initial per-user challenge in ~/.yubico. I've also created a log file. As far as I can tell, the setup is as it should be.

When I switch to the console and try to log in, I receive a "login incorrect" message. I'm 100% certain that the username and password is correct, and checking the log file it all appears to be okay, ending with this:

Code:
[pam_yubico.c:do_challenge_response(541)] Got the expected response, generating new challenge (63 bytes).
[pam_yubico.c:do_challenge_response(621)] Challenge-response success!


The challenge file has also been updated with a new challenge, as expected.


Does anyone have any thoughts or ideas about this? Is there a way to get additional logging out, so that I can confirm that the PAM module is returning a success code? Any help would be greatly appreciated.


Edit: I forgot to mention, I'm NOT using an encrypted partition or filesystem of any sort.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jul 20, 2015 10:56 pm 
Offline

Joined: Mon Jul 20, 2015 5:20 pm
Posts: 2
SOLVED.

tl;dr: Stupid user error.


Examining /var/log/auth.log gave me the clue I needed to find that the # in front of a comment in the PAM configuration file had got lost when copying and pasting. This resulted in PAM parsing the comment and treating the first word as an illegal module type. After reinstating the # it all works perfectly.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 21, 2015 12:03 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Please read rules of the board:

viewtopic.php?f=25&t=937&p=3515#p3515


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group