Hi,
We are configuring yubikey multi-factor authentication for SSH on Ubuntu Server. Our server version is
Quote:
Linux ubuntu-14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
We are using OpenSSH
Quote:
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6, OpenSSL 1.0.1f 6 Jan 2014
My issue is when i try to login in , i am able to login into my ubuntu box using yubikey.I am not able to see any usefull logs.
1./etc/ssh/sshd_conf
Code:
## This configuration file is generated using ansible. Please do not make any changes manually
## If you need to make any changes , please contact "Atlassian.Tools.Team@verizon.com"
Port 22
ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
ChallengeResponseAuthentication yes
Match User appuser1,appuser2
AuthenticationMethods publickey
Match User supportuser1,supportuser2
AuthenticationMethods publickey,keyboard-interactive
PasswordAuthentication no
2. /etc/pam.d/sshd
Code:
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
#@include common-auth
auth sufficient pam_yubico.so id=65324 key=owZVX2FHJKD43432qYnkk00= debug authfile=/etc/yubikey_mappings mode=client
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# SELinux needs to be the first session rule. This ensures that any
# lingering context has been cleared. Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Set the loginuid process attribute.
session required pam_loginuid.so
# Create a new session keyring.
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
# Standard Un*x password updating.
@include common-password
3.
Code:
supportuser1:xxxxxxx
supportuser1:xxxxxxx
supportuser1:xxxxxxx
supportuser1:XXXXXXXX
The output when try to login to the server is
Code:
#ssh -vvv -i server_ssh supportuser1@192.168.1.10
Ubuntu 14.04.4 LTS
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: cardno:0007913443
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: server_ssh
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 151
debug2: input_userauth_pk_ok: fp SHA256:SyXJ6CI+QNIId+ewelZUznt/HAuqGyDqUp5QHQ438vM
debug3: sign_and_send_pubkey: RSA SHA256:SyXJ6CI+QNIId+ewelZUznt/HAuqGyDqUp5QHQ438vM
Authenticated with partial success.
debug2: key: cardno:000605483812 (0x7fcf086007e0),
debug2: key: server_ssh (0x0), explicit
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
YubiKey for `supportuser1':
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
And Debug Auth Logs Says
Mar 29 13:07:55 ubuntu-14 sshd[3123]: error: PAM: Permission denied for supportuser1 from 10.10.3.6
Mar 29 13:07:55 ubuntu-14 sshd[3123]: Postponed keyboard-interactive for supportuser1 from 10.10.3.6 port 60260 ssh2 [preauth]
Could you please help me to resolve this issue
Login
FAQ
Search
