Yubico Forum https://forum.yubico.com/ |
|
SSH authentication https://forum.yubico.com/viewtopic.php?f=5&t=403 |
Page 2 of 2 |
Author: | rossnick [ Wed Oct 20, 2010 6:11 pm ] |
Post subject: | Re: SSH authentication |
I just found a post from romain, also related to pam, which I first discarded because of kerberose. But, I downloaded those rpms instead and modified a bit the config to use default api servers instead of my own, and now all works well. |
Author: | kai [ Thu Mar 03, 2011 3:27 am ] |
Post subject: | Re: SSH authentication |
rossnick wrote: If I change the sufficient for required, I see : # ssh rossnick@localhost Yubikey for `rossnick': Password: Read from remote host localhost: Connection reset by peer Connection to localhost closed. Logs show me that the yubikey auth worked, and see this : sshd[31293]: Accepted keyboard-interactive/pam for rossnick from 127.0.0.1 port 42127 ssh2 sshd[31293]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials in my secure log. I have ChallengeResponseAuthentication, PasswordAuthentication and UsePAM at yes in my sshd config file. If ChallengeResponseAuthentication is set to no, I did not get a prompt for the yubikey at all. I have _exactly_ this problem on Ubuntu 10.10. I've compiled the yubico lib and pam lib from the latest git source. I set up as per the instructions but if I set "auth required" in my pam.d/sshd file and log in, I get the yubikey prompt... followed by my password prompt.. but the second I type in my password I get disconnected and the following error shows up in my /var/log/auth.log: Mar 3 10:15:47 ************ sshd[7537]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials If I change it to "auth sufficient" in the pam.d/sshd file then it works fine I can log in no problems with just the yubikey and no password prompt. I don't _mind_ using the yubikey as my only auth.. but I would _much_ rather have the two factor of my PW + the yubikey. Any suggestions as to why this is dying with the required option? |
Page 2 of 2 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |