Yubico Forum :: View topic - SSH authentication

If I change the sufficient for required, I see :

# ssh rossnick@localhost
Yubikey for `rossnick':
Password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.

Logs show me that the yubikey auth worked, and see this :

sshd[31293]: Accepted keyboard-interactive/pam for rossnick from 127.0.0.1 port 42127 ssh2
sshd[31293]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials

in my secure log.

I have ChallengeResponseAuthentication, PasswordAuthentication and UsePAM at yes in my sshd config file. If ChallengeResponseAuthentication is set to no, I did not get a prompt for the yubikey at all.

Author:	rossnick [ Wed Oct 20, 2010 6:11 pm ]
Post subject:	Re: SSH authentication
I just found a post from romain, also related to pam, which I first discarded because of kerberose. But, I downloaded those rpms instead and modified a bit the config to use default api servers instead of my own, and now all works well.

Author:	kai [ Thu Mar 03, 2011 3:27 am ]
Post subject:	Re: SSH authentication
rossnick wrote: If I change the sufficient for required, I see : # ssh rossnick@localhost Yubikey for `rossnick': Password: Read from remote host localhost: Connection reset by peer Connection to localhost closed. Logs show me that the yubikey auth worked, and see this : sshd[31293]: Accepted keyboard-interactive/pam for rossnick from 127.0.0.1 port 42127 ssh2 sshd[31293]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials in my secure log. I have ChallengeResponseAuthentication, PasswordAuthentication and UsePAM at yes in my sshd config file. If ChallengeResponseAuthentication is set to no, I did not get a prompt for the yubikey at all. I have _exactly_ this problem on Ubuntu 10.10. I've compiled the yubico lib and pam lib from the latest git source. I set up as per the instructions but if I set "auth required" in my pam.d/sshd file and log in, I get the yubikey prompt... followed by my password prompt.. but the second I type in my password I get disconnected and the following error shows up in my /var/log/auth.log: Mar 3 10:15:47 ************ sshd[7537]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials If I change it to "auth sufficient" in the pam.d/sshd file then it works fine I can log in no problems with just the yubikey and no password prompt. I don't _mind_ using the yubikey as my only auth.. but I would _much_ rather have the two factor of my PW + the yubikey. Any suggestions as to why this is dying with the required option?

Yubico Forum https://forum.yubico.com/

SSH authentication https://forum.yubico.com/viewtopic.php?f=5&t=403	Page 2 of 2

Page 2 of 2	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/