Yubico Forum

Hi folks,

Have some issues with getting PAM to work with SSH and 2FA.

sshd_config:
UsePam yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

pam.d/sshd:
auth requisite pam_yubico.so id=X debug authfile=/etc/yubikey_mappings key=X
auth required pam_unix.so debug use_first_pass

/var/log/messages:
Nov 9 20:29:17 sshd[94332]: fatal: PAM: pam_setcred(): failed to retrieve user credentials

I get this error when I do a SSH to the box:

tore:~ tore$ ssh -l root 10.1.1.24
Yubikey for `root': /etc/passwd password + OTP
Connection to 10.1.1.24 closed by remote host.
Connection to 10.1.1.24 closed.

If I only provide my OTP i get this error:
Nov 9 20:31:05 sshd[94342]: error: PAM: authentication error for root from 10.1.1.2
tore:~ tore$ ssh -l root 10.1.1.24
Yubikey for `root':
Yubikey for `root':
Yubikey for `root':
root@10.1.1.24's password:
Permission denied, please try again.
root@10.1.1.24's password:
Received disconnect from 10.1.1.24: 2: Too many authentication failures for root


I checked out the latest source code two days ago, regarding yubico-c-client and yubico-pam.

What am I missing?

Thanks

Of course, I found the error:

When using PAM with SSH, the manual for sshd_config states that ChallengeResponseAuthentication and PasswordAuthentication should not have the same value.

ChallengeResponseAuthentication no
PasswordAuthentication yes
UsePam yes

Now it works with username, unix_password + OTP.

As far as I can understand, you cannot use the yubico PAM to do this:

tore:~ tore$ ssh -l root 10.1.1.24
Yubikey for `root':
Password:
pam_unix: pam_sm_authenticate: UNIX authentication refused

Or?