Yubico Forum

PAM issue with YubiCloud on CentOS 7
Page 1 of 1

Author:  fedorz [ Wed Oct 11, 2017 5:14 pm ]
Post subject:  PAM issue with YubiCloud on CentOS 7


I am testing the OTP SSH PAM authentication against the public YubiCloud on CentOS 7 by running a VirtualBox CentOS 7 image.
Once the tests are successful, the plan is to roll this out to our actual servers.

The issue I face that the PAM module fails authenticating, the debug log shows:
Oct 11 11:42:34 centos_test sshd[1324]: Server listening on port 22.
Oct 11 11:42:34 centos_test systemd: Started OpenSSH server daemon.
Oct 11 11:42:34 centos_test polkitd[619]: Unregistered Authentication Agent for unix-process:1307:25035 (system bus name :1.21, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Oct 11 11:42:47 centos_test sshd[1326]: error: PAM: [color=#0000FF]Authentication service cannot retrieve authentication info for my_user from[/color]
Oct 11 11:42:48 centos_test sshd[1326]: Connection closed by port 42490 [preauth]

I don't understand why is it trying

My settings are the following:

  auth required pam_yubico.so id=myid key=mykey authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug

  PasswordAuthentication no
  ChallengeResponseAuthentication yes

I can manually access the YubiCloud:
wget -q -O - 'https://api.yubico.com/wsapi/2.0/verify?id=myid&nonce=asdmalksdmlkasmdlkasakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujbikngjrtgh'

Network settings:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet scope host lo
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:c6:0f:7d brd ff:ff:ff:ff:ff:ff
    inet brd scope global dynamic enp0s3
       valid_lft 85120sec preferred_lft 85120sec

What looks odd to me in the debug logs, that is seemingly trying to verify the authentication against

Any idea what might be wrong?


Author:  mattlegitt [ Sat Oct 14, 2017 7:35 am ]
Post subject:  Re: PAM issue with YubiCloud on CentOS 7

Hello fedorz,

Just to confirm you visited (https://upgrade.yubico.com/getapikey/) to receive a id and api key to replace in the following line?
auth required pam_yubico.so id="Replace with ID" key="replace with API Key" authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug

Best Regards,
Yubico Support

Author:  fedorz [ Sat Oct 14, 2017 1:33 pm ]
Post subject:  Re: PAM issue with YubiCloud on CentOS 7

Yes, that is correct, that is where I got the id and key I am using.

Author:  fedorz [ Tue Oct 31, 2017 2:01 pm ]
Post subject:  Re: PAM issue with YubiCloud on CentOS 7

No response?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group