Yubico Forum

I have configured the PAM module via this guide:

viewtopic.php?f=5&t=174

and I am receiving the following error in the debug output:

pam_yubico.c:pam_sm_authenticate(537)] ykclient return value (3): Request signature was invalid (BAD_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(579)] done. [Authentication service cannot retrieve authentication info]

Does anyone know a fix for this?

Thanks,
Koneko

We would appreciate if you can provide us the following information:

1) Details of Operating System (OS name, Kernel Version etc.) where you are configuring the Yubico PAM module
2) Version of the Yubico PAM module you are trying to configure
3) The Application details (Version number etc) for which you are configuring the Yubico PAM module
4) The PAM configuration file of the application (situated in /etc/pam.d directory)
5) Did you install your own OTP validation server and using it for validating the YubiKey OTP or are you using the online Yubico OTP validation server?

This information will help us debugging the issue you are facing.

1. Centos / 2.6.18-164.10.1.el5.centos.plus
2. PAM version 2.2
3. Sudo version 1.6.9p17
4.

#%PAM-1.0
auth sufficient /lib/security/pam_yubico.so id=(my id) authfile=/etc/yubikey debug
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so

5. I did not install a validation server.

Thanks =)

Thank you for providing the valuable information!

We are looking into this and we will update you soon.

The latest Yubico PAM module has made the use of the API Key mandatory. For more information about the API Key, please visit the following link:

http://www.yubico.com/developers/api/

As you did not mention the API Key parameter with the Yubico PAM module in the PAM configuration file, you were receiving the BAD_SIGNATURE error.

We would appreciate if you can follow the steps listed below and try again:

1) Create your own Client ID and API Key pair using the following link:

https://api.yubico.com/get-api-key/

Enter your email address and YubiKey OTP and click on "Generate API Key". This will generate a new client ID and API Key for you.

2) In the PAM configuration file, mention the ID and the API Key with the Yubico PAM module as follows:

auth sufficient pam_yubico.so id=<Your Client id> key=<Your API Key> authfile=/etc/yubikey debug

For example:

auth sufficient pam_yubico.so id=3476 key=WHvkp47s6INISPMIIzKNkYDip39I= authfile=/etc/yubikey debug

We hope this helps!

Feel free to write back in case you face any problems or have further queries.

Great, that took care of the bad signature problem. Now I am reciving this message:

[pam_yubico.c:pam_sm_authenticate(537)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: YKDB
[pam_yubico.c:pam_sm_authenticate(564)] Yubikey not authorized to login as user
[pam_yubico.c:pam_sm_authenticate(579)] done. [Authentication service cannot retrieve authentication info]

From the error message, it seems that the user name and YubiKey ID mapping is wrong in the mapping file.

We would appreciate if you can make a correct user name and YubiKey ID mapping in the mapping file as follows and try again:

<user name>:<YubiKey ID (First 12 characters of the YubiKey OTP)>

We hope this helps!

That worked =D

I also had to

chmod g+rw /etc/yubikey

chmod g+s /sbin/yk_chkpwd


Thanks,
Koneko