Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:42 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Fri Sep 27, 2013 9:42 pm 
Offline

Joined: Fri Sep 27, 2013 8:40 pm
Posts: 3
I'm trying to get Yubi key to work in conjunction with Krb5 auth on our servers. Currently I'm getting the following error when I enter a Yubikey token at the prompt:

Quote:
[pam_yubico.c:pam_sm_authenticate(797)] get user returned: xxxxxxx
[pam_yubico.c:pam_sm_authenticate(904)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(922)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(929)] OTP: xxxxxxxx ID: xxxxxxxx
[pam_yubico.c:pam_sm_authenticate(960)] ykclient return value (102): Internal printf format error
[pam_yubico.c:pam_sm_authenticate(1000)] done. [Authentication service cannot retrieve authentication info]

Anyone have any ideas?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Sep 30, 2013 9:06 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Hello,

Could you provide use more information:

- System
- Version of pam_yubico
- Configuration files

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 30, 2013 4:37 pm 
Offline

Joined: Fri Sep 27, 2013 8:40 pm
Posts: 3
I'm running an Ubuntu 12.04 install using libpam-yubico 2.13-1~ppa1~precise1.

My pam-config for yubikey looks like:

Code:
Name: Yubico authentication with YubiKey
Default: no
Priority: 704
Auth-Type: Primary
Auth:
        required        pam_yubico.so   id=100 key=xxxxxx url=http://<server>/wsapi/2.0/verify? authfile=/etc/yubikey_mappings debug
Auth-Initial:
        required        pam_yubico.so   id=100 key=xxxxxx url=http://<server>/wsapi/2.0/verify? authfile=/etc/yubikey_mappings debug


and pam common-auth looks like:

Code:
# here are the per-package modules (the "Primary" block)
auth    required        pam_yubico.so id=100 key=xxxxxx url=http://<server>/wsapi/2.0/verify? authfile=/etc/yubikey_mappings debug
auth    [success=2 default=ignore]      pam_krb5.so minimum_uid=1000 try_first_pass
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 01, 2013 7:54 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Change the url format in:

http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s

Please read the README from the pam module on http://opensource.yubico.com/yubico-pam/

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 01, 2013 5:09 pm 
Offline

Joined: Fri Sep 27, 2013 8:40 pm
Posts: 3
Tom,

Thanks, that took care of the printf error and I'm actually hitting the validation server with requests, but now I've run into another error.

Code:
[pam_yubico.c:parse_cfg(736)] called.
[pam_yubico.c:parse_cfg(737)] flags 1 argc 5
[pam_yubico.c:parse_cfg(739)] argv[0]=id=100
[pam_yubico.c:parse_cfg(739)] argv[1]=key=xxxxxx
[pam_yubico.c:parse_cfg(739)] argv[2]=url=http://<server>/wsapi/2.0/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(739)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(739)] argv[4]=debug
[pam_yubico.c:parse_cfg(740)] id=100
[pam_yubico.c:parse_cfg(741)] key=xxxxxx
[pam_yubico.c:parse_cfg(742)] debug=1
[pam_yubico.c:parse_cfg(743)] alwaysok=0
[pam_yubico.c:parse_cfg(744)] verbose_otp=0
[pam_yubico.c:parse_cfg(745)] try_first_pass=0
[pam_yubico.c:parse_cfg(746)] use_first_pass=0
[pam_yubico.c:parse_cfg(747)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(748)] ldapserver=(null)
[pam_yubico.c:parse_cfg(749)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(750)] ldapdn=(null)
[pam_yubico.c:parse_cfg(751)] user_attr=(null)
[pam_yubico.c:parse_cfg(752)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(753)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(754)] url=http://<server>/wsapi/2.0/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(755)] capath=(null)
[pam_yubico.c:parse_cfg(756)] token_id_length=12
[pam_yubico.c:parse_cfg(757)] mode=client
[pam_yubico.c:parse_cfg(758)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(797)] get user returned: xxxxxx
[pam_yubico.c:pam_sm_authenticate(904)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(922)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(929)] OTP: xxxxxx ID: xxxxxx
[pam_yubico.c:pam_sm_authenticate(960)] ykclient return value (107): Server response signature was invalid (BAD_SERVER_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(1000)] done. [Authentication service cannot retrieve authentication info]


Searching through the forums, the only related posts seem to have to do with ARM implementations and PHP char escaping. One mention not having the same API key on the server as on the client, but I've changed the API key twice and made sure they are the same on both with no change in error.


Top
 Profile  
Reply with quote  
PostPosted: Mon Dec 16, 2013 11:18 am 
Offline

Joined: Mon Dec 16, 2013 11:14 am
Posts: 1
Did you have any luck with getting this working?

We have the same problem - we are trying to use a local yubi server so that we have offline access but we get the same errors:

[pam_yubico.c:pam_sm_authenticate(969)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (107): Server response signature was invalid (BAD_SERVER_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication service cannot retrieve authentication info]

Thanks!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group