Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:10 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Wed Nov 09, 2011 9:35 pm 
Offline

Joined: Wed Nov 09, 2011 9:18 pm
Posts: 2
Hi folks,

Have some issues with getting PAM to work with SSH and 2FA.

sshd_config:
UsePam yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

pam.d/sshd:
auth requisite pam_yubico.so id=X debug authfile=/etc/yubikey_mappings key=X
auth required pam_unix.so debug use_first_pass

/var/log/messages:
Nov 9 20:29:17 sshd[94332]: fatal: PAM: pam_setcred(): failed to retrieve user credentials

I get this error when I do a SSH to the box:

tore:~ tore$ ssh -l root 10.1.1.24
Yubikey for `root': /etc/passwd password + OTP
Connection to 10.1.1.24 closed by remote host.
Connection to 10.1.1.24 closed.

If I only provide my OTP i get this error:
Nov 9 20:31:05 sshd[94342]: error: PAM: authentication error for root from 10.1.1.2
tore:~ tore$ ssh -l root 10.1.1.24
Yubikey for `root':
Yubikey for `root':
Yubikey for `root':
root@10.1.1.24's password:
Permission denied, please try again.
root@10.1.1.24's password:
Received disconnect from 10.1.1.24: 2: Too many authentication failures for root


I checked out the latest source code two days ago, regarding yubico-c-client and yubico-pam.

What am I missing?

Thanks


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Nov 10, 2011 6:47 pm 
Offline

Joined: Wed Nov 09, 2011 9:18 pm
Posts: 2
Of course, I found the error:

When using PAM with SSH, the manual for sshd_config states that ChallengeResponseAuthentication and PasswordAuthentication should not have the same value.

ChallengeResponseAuthentication no
PasswordAuthentication yes
UsePam yes

Now it works with username, unix_password + OTP.

As far as I can understand, you cannot use the yubico PAM to do this:

tore:~ tore$ ssh -l root 10.1.1.24
Yubikey for `root':
Password:
pam_unix: pam_sm_authenticate: UNIX authentication refused

Or?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group