Using libpam-yubico from the PPA, I've been able to set up my Linux Mint 17 box to require Yubico OTP authentication when logging into the local console. That all works perfectly.
I can't get it to work in challenge-response mode, though. I've commented out the Yubico OTP line in /etc/pam.d/login and put the following in immediately after it:
Code:
auth required pam_yubico.so mode=challenge-response debug
I've configured slot 2 to HMAC-SHA1, both via the GUi and command line config tools - in the latter case by a copy and paste of the instructions on GitHub, to avoid any misconfiguration. I've used the ykpamcfg tool to generate an initial per-user challenge in ~/.yubico. I've also created a log file. As far as I can tell, the setup is as it should be.
When I switch to the console and try to log in, I receive a "login incorrect" message. I'm 100% certain that the username and password is correct, and checking the log file it all appears to be okay, ending with this:
Code:
[pam_yubico.c:do_challenge_response(541)] Got the expected response, generating new challenge (63 bytes).
[pam_yubico.c:do_challenge_response(621)] Challenge-response success!
The challenge file has also been updated with a new challenge, as expected.
Does anyone have any thoughts or ideas about this? Is there a way to get additional logging out, so that I can confirm that the PAM module is returning a success code? Any help would be greatly appreciated.
Edit: I forgot to mention, I'm NOT using an encrypted partition or filesystem of any sort.
Login
FAQ
Search
