Hello,
I have a couple of Yubikeys which I have configured with my own authentication server; I have pam configured to use that server and it has all been working well.
I renewed my ssl certificates a few days ago and since then, the pam authentication has failed to work. If I put pam into debug mode, I get:
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 44 bytes [pam_yubico.c:pam_sm_authenticate(990)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32. [pam_yubico.c:pam_sm_authenticate(997)] OTP: <OTP> ID: cccccccccccb [pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (101): Could not parse server response [pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication service cannot retrieve authentication info]
However, if I run curl from the command line to double check things:
curl "https://<url>/wsapi/2.0/verify?id=1&otp=cccccccccccbuejgbetvinrggvhbblghibrlbnefudif&nonce=12345678901234567890" h=ZNrvPCKBjfbPA6sVuBaIQcZ2wtc= t=2014-08-20T10:50:53Z0954 otp=cccccccccccbuejgbetvinrggvhbblghibrlbnefudif nonce=12345678901234567890 sl=0 status=OK
If I put the old SSL certs back in place, everything starts working again. The only thing I can think of is that I use a 4096 byte SSL key, rather than the standard 2048 - could this case the issue?
Any idea how I can debug things? The rest of my SSL infrastructure works fine - Firefox recognises everything as normal; curl has no issues, I don't really know where to go next...
The pam config is:
auth sufficient pam_yubico.so debug id=1 url=https://<url>/wsapi/2.0/verify?id=%d&otp=%s
Cheers, David
|