Yubico Forum

pam_yubico stalls, no api response
Page 1 of 1

Author:  davand01 [ Thu Feb 12, 2015 10:06 pm ]
Post subject:  pam_yubico stalls, no api response


I'm trying to get Openvpn to work with pam on pfsense. So far, no luck. In order to debug it, i tried using in in the /etc/pam.d/su file, with the following result:

debug: pam_yubico.c:764 (parse_cfg): called.
debug: pam_yubico.c:765 (parse_cfg): flags 0 argc 3
debug: pam_yubico.c:767 (parse_cfg): argv[0]=id=16
debug: pam_yubico.c:767 (parse_cfg): argv[1]=authfile=/etc/yubikeyid
debug: pam_yubico.c:767 (parse_cfg): argv[2]=debug
debug: pam_yubico.c:768 (parse_cfg): id=16
debug: pam_yubico.c:769 (parse_cfg): key=(null)
debug: pam_yubico.c:770 (parse_cfg): debug=1
debug: pam_yubico.c:771 (parse_cfg): alwaysok=0
debug: pam_yubico.c:772 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:773 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:774 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:775 (parse_cfg): authfile=/etc/yubikeyid
debug: pam_yubico.c:776 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:777 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:778 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:779 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:780 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:781 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:782 (parse_cfg): url=(null)
debug: pam_yubico.c:783 (parse_cfg): urllist=(null)
debug: pam_yubico.c:784 (parse_cfg): capath=(null)
debug: pam_yubico.c:785 (parse_cfg): token_id_length=12
debug: pam_yubico.c:786 (parse_cfg): mode=client
debug: pam_yubico.c:787 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:829 (pam_sm_authenticate): get user returned: XXXX
YubiKey for `davand01':
debug: pam_yubico.c:972 (pam_sm_authenticate): conv returned 44 bytes
debug: pam_yubico.c:990 (pam_sm_authenticate): Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:997 (pam_sm_authenticate): OTP: XXXXXXXXXXX ID: XXXXXXXX

But after this point, nothing happens. I also tried using tcpdump -i host api.yubico.com, but that yields no result what so ever. What could be wrong? I used the pam_yubico that's available as a package for freebsd.

Any ideas?

Author:  davand01 [ Tue Feb 17, 2015 8:32 am ]
Post subject:  Re: pam_yubico stalls, no api response

Debug output shows the following:
debug: pam_yubico.c:972 (pam_sm_authenticate): conv returned 45 bytes
debug: pam_yubico.c:990 (pam_sm_authenticate): Skipping first 1 bytes. Length is 45, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:997 (pam_sm_authenticate): OTP: sdfölkjasdflökjasdflökjasdflökjasdfölkj ID: sdfölkjasdf
debug: pam_yubico.c:1012 (pam_sm_authenticate): Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK

And upon looking at the file pam_yubico.c [https://github.com/Yubico/yubico-pam-dpkg/blob/master/pam_yubico.c], the pam apparently stalls somewhere within these lines of code:
      retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd);
      free (onlypasswd);
      if (retval != PAM_SUCCESS)
     DBG (("set_item returned error: %s", pam_strerror (pamh, retval)));
     goto done;
    password = NULL;

  rc = ykclient_request (ykc, otp);

My suspicion is that it is the ykclient_request (ykc, otp) that won't work... But all libs are installed and linked into /usr/lib... Any ideas?


Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group