Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:57 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
PostPosted: Sat Feb 14, 2009 6:14 pm 
Offline

Joined: Tue Jan 27, 2009 4:00 pm
Posts: 5
That did the trick!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Feb 17, 2009 9:51 pm 
Offline

Joined: Sat Jul 05, 2008 9:21 pm
Posts: 10
Does anyone have the offline pam module working under Debian Lenny or Ubuntu Ibex (Lenny Based)?

I'm getting the a cascading auth issue when using multiple "required" pam modules.

session:
Code:
$ ssh root@x.x.x.x
gorkab@x.x.x.x's password:
Permission denied, please try again.
gorkab@x.x.x.x's password:

debug log:
Code:
[pam_yubikey.c:pam_sm_authenticate(104)] called.
[pam_yubikey.c:pam_sm_authenticate(105)] flags 1 argc 0
[pam_yubikey.c:pam_sm_authenticate(112)] verbose=0
[pam_yubikey.c:pam_sm_authenticate(122)] get user returned: gorkab
[pam_yubikey.c:get_response(206)] conv returned: <<REALUNIXPW>>
[pam_yubikey.c:_yubi_run_helper_binary(259)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: <<REALUNIXPW>>
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[yk_chkpwd.c:_yubi_verify_password(268)] public_uid has no length, OTP is invalid
[pam_yubikey.c:_yubi_run_helper_binary(375)] returning 8


i thoguht it might go away as lenny got older, but it didn't.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 13, 2009 1:16 pm 
Offline

Joined: Fri Mar 13, 2009 10:48 am
Posts: 3
I just got my keys and am trying to get offline pam working.

Whenever I try to login with the correct key I get:

Code:
Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer)
Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer)
Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=kramer
Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure


ykvalidate works as it should (although only under root):
ykvalidate --user kramer [optremoved]
OTP is VALID.

This is with Fedora 10 x86_64. Any hints on how to investigate this further?

BTW I noticed that make install put the pam_yubikey.* in /lib/security instead of /lib64/security.


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 13, 2009 2:40 pm 
Offline

Joined: Fri Mar 13, 2009 10:48 am
Posts: 3
lintweaker wrote:
I just got my keys and am trying to get offline pam working.

Whenever I try to login with the correct key I get:

Code:
Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer)
Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer)
Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=kramer
Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure


ykvalidate works as it should (although only under root):
ykvalidate --user kramer [optremoved]
OTP is VALID.

This is with Fedora 10 x86_64. Any hints on how to investigate this further?

I've rebuild the libaries with debugging enabled. The log files show:

Code:
[pam_yubikey.c:get_response(206)] conv returned: [snipped]
[pam_yubikey.c:_yubi_run_helper_binary(259)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped]
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[yk_chkpwd.c:_yubi_verify_password(279)] couldn't access database: /etc/yubikey
[pam_yubikey.c:_yubi_run_helper_binary(375)] returning 9

So somehow /etc/yubikey cannot be read. As this is on a Fedora machine with selinux enabled I had to change to /etc/yubikey context as well. I 'stole' the context from another file in /etc:

Code:
chcon -v --reference=/etc/wvdial.conf yubikey


I am not sure that's correct but I no longer get selinux messages. Unfortunately the problem persists, even after giving everybody read rights on the /etc/yubikey file. Clueless :(


Top
 Profile  
Reply with quote  
PostPosted: Fri Mar 13, 2009 2:56 pm 
Offline

Joined: Fri Mar 13, 2009 10:48 am
Posts: 3
lintweaker wrote:
lintweaker wrote:
I just got my keys and am trying to get offline pam working.

Whenever I try to login with the correct key I get:

Code:
Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer)
Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer)
Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=kramer
Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure


ykvalidate works as it should (although only under root):
ykvalidate --user kramer [optremoved]
OTP is VALID.

This is with Fedora 10 x86_64. Any hints on how to investigate this further?

I've rebuild the libaries with debugging enabled. The log files show:

Code:
[pam_yubikey.c:get_response(206)] conv returned: [snipped]
[pam_yubikey.c:_yubi_run_helper_binary(259)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped]
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[yk_chkpwd.c:_yubi_verify_password(279)] couldn't access database: /etc/yubikey
[pam_yubikey.c:_yubi_run_helper_binary(375)] returning 9

So somehow /etc/yubikey cannot be read. As this is on a Fedora machine with selinux enabled I had to change to /etc/yubikey context as well. I 'stole' the context from another file in /etc:

Code:
chcon -v --reference=/etc/wvdial.conf yubikey


I am not sure that's correct but I no longer get selinux messages. Unfortunately the problem persists, even after giving everybody read rights on the /etc/yubikey file. Clueless :(


OK, again replying to my on message.
Default the file /etc/yubikey has the following permission:
-rw-r--r-- root root
Checking the ykdbDatabaseOpen function in yubikey_db.c shows:

Code:
/* open the db */
   handle->file_descriptor = open(path, O_RDWR);
   if (handle->file_descriptor == -1)
   {
      free(handle);

      YKDB_ERROR(YKDB_ERR_IO);
      return NULL;

that the database will be opened with Read Write permissions (is that really necessary here?).
Changing the permissions on /etc/yubikey gets rid of the 'could not access database error':

Code:
[ykvalidate.c:_yubi_run_helper_binary(275)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped]
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[ykvalidate.c:_yubi_run_helper_binary(388)] returning 0

I am not sure this is the right way forward.


Top
 Profile  
Reply with quote  
PostPosted: Wed Apr 01, 2009 4:36 am 
Offline

Joined: Tue Nov 25, 2008 12:10 am
Posts: 12
gorkab,

sorry for the delayed response, but yes, yubipam works just fine for me under Lenny. Granted, i had built it (and packaged it) under etch, so that might be the difference...?

gorkab wrote:
Does anyone have the offline pam module working under Debian Lenny or Ubuntu Ibex (Lenny Based)?

I'm getting the a cascading auth issue when using multiple "required" pam modules.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 08, 2009 5:21 pm 
Offline

Joined: Wed Jul 08, 2009 5:18 pm
Posts: 1
Hi,

i really like the offline pam module. after some problems i got it working. :)

the only thing i want to ask is, is there a way via pam or this module directly to create a two way authorisation?
i simple want enter an password and then press the yubikey.

thanks

phil


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 04, 2010 12:56 am 
Offline

Joined: Mon Jul 20, 2009 10:07 pm
Posts: 3
I got yubipam 1.0.4 working with selinux in F12 but had to follow some different steps to the ones I found here:

http://blog.rootshell.be/2009/03/27/yub ... -on-linux/

To give /etc/yubikey write permission from the login process I had to rebuild with:

./configure --with-authdb=/var/lib/gdm/yubikey

Then I made sure yubikey had # ls -Z /var/lib/gdm/yubikey
-rw-rw-r--. root yubiauth system_u:object_r:xdm_var_lib_t:s0 /var/lib/gdm/yubikey

Otherwise, I could not login because the yk_chkpwd could not write to /etc/yubikey (this is with SELINUX=enforcing)

One unexpected hitch, I am able to log in with the yubikey, but as soon as I'm in I'm prompted for my password to unlock the gnome keyring :( Apart from that, it's neat.


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 07, 2011 1:44 pm 
Offline

Joined: Mon Feb 07, 2011 1:41 pm
Posts: 1
Hello! First post here!

Has anybody by chance downloaded the most recent stable version of this offline PAM
module as a tar file?

It seems, that http://www.securixlive.com/ is down, and I would love to try out this module.


Top
 Profile  
Reply with quote  
PostPosted: Sat Feb 12, 2011 10:25 pm 
Offline

Joined: Sat Feb 12, 2011 10:11 pm
Posts: 1
I downloaded a copy of YubiPAM 1.1 beta 1 from the securixlive.com site on Jan. 26.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group