I run Ubuntu 14.04. I've installed the KSM and VAL services and managed to get them to work with ykclient from the client.
I've also tested LDAP by using the YubiCloud service for one of my keys, in which the PAM module looked up the Yubikey ID for each user using the standard Yubikey LDAP schema from
https://github.com/mludvig/yubikey-ldap. This authentication methid worked.
ykclient is perfectly capable of validating keys and KSM and VAL are working as intended.
However I can not make yubico_pam.so authenticate using the same parameters as I use for ykclient when I combine VAL verification and LDAP lookups. I am convinced the fault here is not in the LDAP end of things, but rather in (another) undocumented feature of the KSM/VAL chain.
I use this line in /etc/pam.d/sshd:
Code:
auth required pam_yubico.so id=1 key=<generated with ykgen-client> = urllist=http://<url verified with ykclient> ldap_uri=ldap://<ldap-server> ldapdn=<dn> user_attr=cn yubi_attr=yubiKeyId token_id_length=12 ldapcacertfile=/<working cafile> mode=client debug
The debug log outputs this for an attempted authentication:
Code:
[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 1 argc 11
[../pam_yubico.c:parse_cfg(764)] argv[0]=id=1
[../pam_yubico.c:parse_cfg(764)] argv[1]=key=<keystring>
[../pam_yubico.c:parse_cfg(764)] argv[2]=urllist=<VAL server>
[../pam_yubico.c:parse_cfg(764)] argv[3]=ldap_uri=<ldapuri>
[../pam_yubico.c:parse_cfg(764)] argv[4]=ldapdn=<mydn>
[../pam_yubico.c:parse_cfg(764)] argv[5]=user_attr=cn
[../pam_yubico.c:parse_cfg(764)] argv[6]=yubi_attr=yubiKeyId
[../pam_yubico.c:parse_cfg(764)] argv[7]=token_id_length=12
[../pam_yubico.c:parse_cfg(764)] argv[8]=ldapcacertfile=<ldap-cafile>
[../pam_yubico.c:parse_cfg(764)] argv[9]=mode=client
[../pam_yubico.c:parse_cfg(764)] argv[10]=debug
[../pam_yubico.c:parse_cfg(765)] id=1
[../pam_yubico.c:parse_cfg(766)] key=<keystring>
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=0
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=(null)
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=ldap://<ldap-server>
[../pam_yubico.c:parse_cfg(775)] ldapdn=<dn>
[../pam_yubico.c:parse_cfg(776)] user_attr=cn
[../pam_yubico.c:parse_cfg(777)] yubi_attr=yubiKeyId
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=client
[../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: oyla
[../pam_yubico.c:pam_sm_authenticate(929)] conv returned 56 bytes
[../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 12 bytes. Length is 56, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(954)] OTP: <full key> ID: <public part>
[../pam_yubico.c:pam_sm_authenticate(969)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (107): Server response signature was invalid (BAD_SERVER_SIGNATURE)
[../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication service cannot retrieve authentication info]
^C
I find it rather odd that ykclient works while the PAM module does not. The values are all the same. I tried the Ubuntu-supplied PAM module from APT as well as building my own from Git, with no luck. Any idea where to start? I didn't even know there was a server key to begin with, but then again, this wouldn't be my first time being surprised at something missing from the Yubico docs.
Thanks for any input.