Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:48 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 12 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: SSH authentication
PostPosted: Wed Oct 20, 2010 6:11 pm 
Offline

Joined: Wed Oct 20, 2010 5:37 pm
Posts: 2
I just found a post from romain, also related to pam, which I first discarded because of kerberose.

But, I downloaded those rpms instead and modified a bit the config to use default api servers instead of my own, and now all works well.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: SSH authentication
PostPosted: Thu Mar 03, 2011 3:27 am 
Offline

Joined: Thu Mar 03, 2011 3:20 am
Posts: 1
rossnick wrote:
If I change the sufficient for required, I see :

# ssh rossnick@localhost
Yubikey for `rossnick':
Password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.

Logs show me that the yubikey auth worked, and see this :

sshd[31293]: Accepted keyboard-interactive/pam for rossnick from 127.0.0.1 port 42127 ssh2
sshd[31293]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials

in my secure log.

I have ChallengeResponseAuthentication, PasswordAuthentication and UsePAM at yes in my sshd config file. If ChallengeResponseAuthentication is set to no, I did not get a prompt for the yubikey at all.



I have _exactly_ this problem on Ubuntu 10.10. I've compiled the yubico lib and pam lib from the latest git source.

I set up as per the instructions but if I set "auth required" in my pam.d/sshd file and log in, I get the yubikey prompt... followed by my password prompt.. but the second I type in my password I get disconnected and the following error shows up in my /var/log/auth.log:

Mar 3 10:15:47 ************ sshd[7537]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials

If I change it to "auth sufficient" in the pam.d/sshd file then it works fine I can log in no problems with just the yubikey and no password prompt. I don't _mind_ using the yubikey as my only auth.. but I would _much_ rather have the two factor of my PW + the yubikey.

Any suggestions as to why this is dying with the required option?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group