Hi,
i want to use the pam_yubico Module with Two Factor SSH authentication.
Here is my configuration:
Code:
auth requisite pam_yubico.so id=1 urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify authfile=/etc/yubikey_mappings/authorized_yubikeys debug
On the hajvmyk01 server runs two instance of yubico-serve. TFA for SSH is configured on hajvmyk02 (client).
Currently
http://hajvmyk01:8000/wsapi/2.0/verify is not reachable. (HA failure test).
So if I login into the client it successfully login but the log says:
Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultktdbfeuhguguvivcldjeugtrbrndfliv ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP)
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication failure]
Authentication failure.Another login fails but the log says:
Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultdgngcbedjirtfuncljkinvjjktktuccc ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(222)] Using system-wide auth_file /etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:check_user_token(179)] Authorization line: root:vvuficteuult
[pam_yubico.c:check_user_token(183)] Matched user: root
[pam_yubico.c:check_user_token(188)] Authorization token: vvuficteuult
[pam_yubico.c:check_user_token(191)] Match user/token as root/vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Success]
Success.The 3rd try is a little bit strange, it will be timeouted.
Log:
Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultbjfnlfekbirdgeuejelkjgeekhenhejv ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
The urllist parameter has been changed and is not equal to the pam file.
Does anybody know of this problems or what I misconfigured?
I use Ubuntu 12.04 and the offical yubico ppa packages.
Login
FAQ
Search
