Yubico Forum :: View topic - Offline PAM for the Yubikey

lintweaker wrote:

I just got my keys and am trying to get offline pam working.

Whenever I try to login with the correct key I get:

Code:

Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer)
Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer)
Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=  user=kramer
Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure

ykvalidate works as it should (although only under root):
ykvalidate --user kramer [optremoved]
OTP is VALID.

This is with Fedora 10 x86_64. Any hints on how to investigate this further?

I've rebuild the libaries with debugging enabled. The log files show:

Code:

[pam_yubikey.c:get_response(206)] conv returned: [snipped]
[pam_yubikey.c:_yubi_run_helper_binary(259)] called.
[yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped]
[yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP
[yk_chkpwd.c:_yubi_verify_password(279)] couldn't access database: /etc/yubikey
[pam_yubikey.c:_yubi_run_helper_binary(375)] returning 9

So somehow /etc/yubikey cannot be read. As this is on a Fedora machine with selinux enabled I had to change to /etc/yubikey context as well. I 'stole' the context from another file in /etc:

Code:

chcon -v --reference=/etc/wvdial.conf yubikey

I am not sure that's correct but I no longer get selinux messages. Unfortunately the problem persists, even after giving everybody read rights on the /etc/yubikey file. Clueless

Author:	BIgV [ Sat Feb 14, 2009 6:14 pm ]
Post subject:	Re: Offline PAM for the Yubikey
That did the trick!

Author:	gorkab [ Tue Feb 17, 2009 9:51 pm ]
Post subject:	Re: Offline PAM for the Yubikey
Does anyone have the offline pam module working under Debian Lenny or Ubuntu Ibex (Lenny Based)? I'm getting the a cascading auth issue when using multiple "required" pam modules. session: Code: $ ssh root@x.x.x.x gorkab@x.x.x.x's password: Permission denied, please try again. gorkab@x.x.x.x's password: debug log: Code: [pam_yubikey.c:pam_sm_authenticate(104)] called. [pam_yubikey.c:pam_sm_authenticate(105)] flags 1 argc 0 [pam_yubikey.c:pam_sm_authenticate(112)] verbose=0 [pam_yubikey.c:pam_sm_authenticate(122)] get user returned: gorkab [pam_yubikey.c:get_response(206)] conv returned: <<REALUNIXPW>> [pam_yubikey.c:_yubi_run_helper_binary(259)] called. [yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: <<REALUNIXPW>> [yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP [yk_chkpwd.c:_yubi_verify_password(268)] public_uid has no length, OTP is invalid [pam_yubikey.c:_yubi_run_helper_binary(375)] returning 8 i thoguht it might go away as lenny got older, but it didn't.

Author:	lintweaker [ Fri Mar 13, 2009 1:16 pm ]
Post subject:	Re: Offline PAM for the Yubikey
I just got my keys and am trying to get offline pam working. Whenever I try to login with the correct key I get: Code: Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer) Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer) Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=kramer Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure ykvalidate works as it should (although only under root): ykvalidate --user kramer [optremoved] OTP is VALID. This is with Fedora 10 x86_64. Any hints on how to investigate this further? BTW I noticed that make install put the pam_yubikey. in /lib/security instead of /lib64/security.*

Author:	lintweaker [ Fri Mar 13, 2009 2:40 pm ]
Post subject:	Re: Offline PAM for the Yubikey
lintweaker wrote: I just got my keys and am trying to get offline pam working. Whenever I try to login with the correct key I get: Code: Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer) Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer) Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=kramer Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure ykvalidate works as it should (although only under root): ykvalidate --user kramer [optremoved] OTP is VALID. This is with Fedora 10 x86_64. Any hints on how to investigate this further? I've rebuild the libaries with debugging enabled. The log files show: Code: [pam_yubikey.c:get_response(206)] conv returned: [snipped] [pam_yubikey.c:_yubi_run_helper_binary(259)] called. [yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped] [yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP [yk_chkpwd.c:_yubi_verify_password(279)] couldn't access database: /etc/yubikey [pam_yubikey.c:_yubi_run_helper_binary(375)] returning 9 So somehow /etc/yubikey cannot be read. As this is on a Fedora machine with selinux enabled I had to change to /etc/yubikey context as well. I 'stole' the context from another file in /etc: Code: chcon -v --reference=/etc/wvdial.conf yubikey I am not sure that's correct but I no longer get selinux messages. Unfortunately the problem persists, even after giving everybody read rights on the /etc/yubikey file. Clueless

Author:	lintweaker [ Fri Mar 13, 2009 2:56 pm ]
Post subject:	Re: Offline PAM for the Yubikey
lintweaker wrote: lintweaker wrote: I just got my keys and am trying to get offline pam working. Whenever I try to login with the correct key I get: Code: Mar 13 13:11:48 paragon yk_chkpwd[13893]: password check failed for user (kramer) Mar 13 13:11:48 paragon unix_chkpwd[13895]: password check failed for user (kramer) Mar 13 13:11:48 paragon login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost= user=kramer Mar 13 13:11:50 paragon login: FAILED LOGIN 1 FROM (null) FOR kramer, Authentication failure ykvalidate works as it should (although only under root): ykvalidate --user kramer [optremoved] OTP is VALID. This is with Fedora 10 x86_64. Any hints on how to investigate this further? I've rebuild the libaries with debugging enabled. The log files show: Code: [pam_yubikey.c:get_response(206)] conv returned: [snipped] [pam_yubikey.c:_yubi_run_helper_binary(259)] called. [yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped] [yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP [yk_chkpwd.c:_yubi_verify_password(279)] couldn't access database: /etc/yubikey [pam_yubikey.c:_yubi_run_helper_binary(375)] returning 9 So somehow /etc/yubikey cannot be read. As this is on a Fedora machine with selinux enabled I had to change to /etc/yubikey context as well. I 'stole' the context from another file in /etc: Code: chcon -v --reference=/etc/wvdial.conf yubikey I am not sure that's correct but I no longer get selinux messages. Unfortunately the problem persists, even after giving everybody read rights on the /etc/yubikey file. Clueless OK, again replying to my on message. Default the file /etc/yubikey has the following permission: -rw-r--r-- root root Checking the ykdbDatabaseOpen function in yubikey_db.c shows: Code: /* open the db / handle->file_descriptor = open(path, O_RDWR); if (handle->file_descriptor == -1) { free(handle); YKDB_ERROR(YKDB_ERR_IO); return NULL; that the database will be opened with Read Write permissions (is that really necessary here?). Changing the permissions on /etc/yubikey gets rid of the 'could not access database error': Code:* [ykvalidate.c:_yubi_run_helper_binary(275)] called. [yk_chkpwd.c:_yubi_verify_password(255)] Recived OTP: [snipped] [yk_chkpwd.c:_yubi_verify_password(263)] Parsing OTP [ykvalidate.c:_yubi_run_helper_binary(388)] returning 0 I am not sure this is the right way forward.

Yubico Forum https://forum.yubico.com/

Offline PAM for the Yubikey https://forum.yubico.com/viewtopic.php?f=8&t=159	Page 3 of 4

Author:	rpimonitrbtch [ Wed Apr 01, 2009 4:36 am ]
Post subject:	Re: Offline PAM for the Yubikey
gorkab, sorry for the delayed response, but yes, yubipam works just fine for me under Lenny. Granted, i had built it (and packaged it) under etch, so that might be the difference...? gorkab wrote: Does anyone have the offline pam module working under Debian Lenny or Ubuntu Ibex (Lenny Based)? I'm getting the a cascading auth issue when using multiple "required" pam modules.

Author:	smurfy [ Wed Jul 08, 2009 5:21 pm ]
Post subject:	Re: Offline PAM for the Yubikey
Hi, i really like the offline pam module. after some problems i got it working. the only thing i want to ask is, is there a way via pam or this module directly to create a two way authorisation? i simple want enter an password and then press the yubikey. thanks phil

Author:	Cam [ Thu Feb 04, 2010 12:56 am ]
Post subject:	Re: Offline PAM for the Yubikey
I got yubipam 1.0.4 working with selinux in F12 but had to follow some different steps to the ones I found here: http://blog.rootshell.be/2009/03/27/yub ... -on-linux/ To give /etc/yubikey write permission from the login process I had to rebuild with: ./configure --with-authdb=/var/lib/gdm/yubikey Then I made sure yubikey had # ls -Z /var/lib/gdm/yubikey -rw-rw-r--. root yubiauth system_u:object_r:xdm_var_lib_t:s0 /var/lib/gdm/yubikey Otherwise, I could not login because the yk_chkpwd could not write to /etc/yubikey (this is with SELINUX=enforcing) One unexpected hitch, I am able to log in with the yubikey, but as soon as I'm in I'm prompted for my password to unlock the gnome keyring Apart from that, it's neat.

Author:	außerirdischegesund [ Mon Feb 07, 2011 1:44 pm ]
Post subject:	Re: Offline PAM for the Yubikey
Hello! First post here! Has anybody by chance downloaded the most recent stable version of this offline PAM module as a tar file? It seems, that http://www.securixlive.com/ is down, and I would love to try out this module.

Author:	craig0927 [ Sat Feb 12, 2011 10:25 pm ]
Post subject:	Re: Offline PAM for the Yubikey
I downloaded a copy of YubiPAM 1.1 beta 1 from the securixlive.com site on Jan. 26.

Page 3 of 4	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/