Yubico Forum

PAM module not working on Ubuntu 9.10 x64
Page 1 of 1

Author:  Kami [ Tue Mar 16, 2010 9:59 pm ]
Post subject:  PAM module not working on Ubuntu 9.10 x64


I have just spent almost 3 hours trying go get the pam_yubico.so PAM module to work, but I had no luck.

Basically, I enter my OTP and the log file looks like everything went ok, but I don't get logged in.

I have tried both single and two-form factor form authentication, but I don't really think this it's a problem.

I guess it's something to do with the yk_chkpwd binary or the pam module itself.

My configuration:

System: Ubuntu 9.10 x64
Yubikey: Yubikey 2.0 (yes I know it does not matter, but just for the sake of completeness :P)

The correct user account name and 12 char id is located in the ~/.yubico/authorized_yubikeys file (I have also tried the authfile method, but I don't really think this is the problem).

The correct secret key is placed in the pam config file.

Here is the output from the logfile:

[pam_yubico.c:check_user_token(117)] Authorization line: kami:xxx
[pam_yubico.c:check_user_token(121)] Matched user: kami
[pam_yubico.c:check_user_token(125)] Authorization token: xxxx
[pam_yubico.c:check_user_token(128)] Match user/token as kami/xxxx
[pam_yubico.c:pam_sm_authenticate(594)] done. [Success]
[pam_yubico.c:parse_cfg(381)] called.
[pam_yubico.c:parse_cfg(382)] flags 8 argc 4
[pam_yubico.c:parse_cfg(384)] argv[0]=authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(384)] argv[1]=id=3914
[pam_yubico.c:parse_cfg(384)] argv[2]=key=XXX
[pam_yubico.c:parse_cfg(384)] argv[3]=debug
[pam_yubico.c:parse_cfg(385)] id=3914
[pam_yubico.c:parse_cfg(386)] key=XXX
[pam_yubico.c:parse_cfg(387)] debug=1
[pam_yubico.c:parse_cfg(388)] alwaysok=0
[pam_yubico.c:parse_cfg(389)] try_first_pass=0
[pam_yubico.c:parse_cfg(390)] use_first_pass=0
[pam_yubico.c:parse_cfg(391)] authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(392)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(393)] ldapdn=(null)
[pam_yubico.c:parse_cfg(394)] user_attr=(null)
[pam_yubico.c:parse_cfg(395)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(615)] retval: 0
[pam_yubico.c:pam_sm_setcred(635)] done. [Success]

As you can see, everything looks fine.

EDIT: I have just check the log file and it's like I have predicted - it's segfault-ing:

Mar 16 20:50:25 kami-laptop kernel: [22998.637336] gnome-screensav[24361]: segfault at 150 ip 00007f422d22fbe1 sp 00007f421f8f7e50 error 6 in libpam.so.0.82.1[7f422d22d000+c000]

Any help would be more then appreciated.


Author:  samir [ Wed Mar 17, 2010 9:46 am ]
Post subject:  Re: PAM module not working on Ubuntu 9.10 x64

We would appreciate if you can provide us the following information:

    1) Operating system: Are you using Ubuntu Server 9.10 or Ubuntu Desktop 9.10?
    2) Which application are you configuring for YubiKey based two factor authentication?
    3) Corresponding PAM file (located in /etc/pam.d/ directory) for your application

Author:  Kami [ Wed Mar 17, 2010 12:07 pm ]
Post subject:  Re: PAM module not working on Ubuntu 9.10 x64

Sure, even tough I'm still pretty sure the problem is not related to the configuration (as you can see from the log file) :)

1. I'm using Ubuntu desktop 9.10 x64 (Linux kami-laptop 2.6.31-20-generic #57-Ubuntu SMP Mon Feb 8 09:02:26 UTC 2010 x86_64 GNU/Linux)

2. It doesn't matter, I have tried configuring it for the gnome-screensaver, sshd, login or even for all of them (common-auth).

3. Here is the content of, for example, the gnome-screensaver PAM config file (but like I have previously said, I have tried all the combinations which make sense...):

@include common-auth
auth sufficient pam_yubico.so authfile=/etc/yubikeyid id=xxxx key=zzz debug
auth optional pam_gnome_keyring.so

It also does not matter if I change the order (put the pam_yubico.so line above the include) or disable the include of the common-auth file.

I'll probably have more time during the weekend and I will be able to try some other PAM modules and maybe try to write my own PAM module in Python using python-pam (yes, I know that that is not very efficient) and I will see if this one works (as I have feeling that the problem is related to the yubico PAM module).


Author:  Kami [ Wed Mar 17, 2010 11:18 pm ]
Post subject:  Re: PAM module not working on Ubuntu 9.10 x64

Since I couldn't get the C module to work, I wrote my own PAM module in Python using pam-python (http://ace-host.stuart.id.au/russell/files/pam_python/).

I know that using Python for a PAM module is not really the best and most efficient way, but it should serve me (and probably some other users who have problems with the original C extension) well.

The code for the extension is located on: http://github.com/Kami/yubico-pam-module

Keep in mind that this is a first release which is not yet fully feature-complete and it could break (basic functionally should work fine though)

I do plan to finish it up so it will be totally compatible with the original C extension and create a new branch with some extra features which I (and maybe someone else will) find useful (offline authentication is one of them for sure).

P.S. If you think this should go in a new thread, feel free to merge my post into a new thread :)

Author:  jonr [ Sat Apr 17, 2010 4:19 pm ]
Post subject:  Re: PAM module not working on Ubuntu 9.10 x64

This is the 5 minute solution I used:


Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group