Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:40 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Tue Jul 08, 2014 10:20 am 
Offline

Joined: Tue Jul 08, 2014 9:35 am
Posts: 1
Hi,

i want to use the pam_yubico Module with Two Factor SSH authentication.

Here is my configuration:

Code:
auth requisite pam_yubico.so id=1 urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify authfile=/etc/yubikey_mappings/authorized_yubikeys debug


On the hajvmyk01 server runs two instance of yubico-serve. TFA for SSH is configured on hajvmyk02 (client).

Currently http://hajvmyk01:8000/wsapi/2.0/verify is not reachable. (HA failure test).

So if I login into the client it successfully login but the log says:

Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultktdbfeuhguguvivcldjeugtrbrndfliv ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP)
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication failure]


Authentication failure.

Another login fails but the log says:

Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultdgngcbedjirtfuncljkinvjjktktuccc ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(222)] Using system-wide auth_file /etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:check_user_token(179)] Authorization line: root:vvuficteuult
[pam_yubico.c:check_user_token(183)] Matched user: root
[pam_yubico.c:check_user_token(188)] Authorization token: vvuficteuult
[pam_yubico.c:check_user_token(191)] Match user/token as root/vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Success]


Success.

The 3rd try is a little bit strange, it will be timeouted.

Log:

Code:
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 1 argc 4
[pam_yubico.c:parse_cfg(767)] argv[0]=id=1
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(767)] argv[3]=debug
[pam_yubico.c:parse_cfg(768)] id=1
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultbjfnlfekbirdgeuejelkjgeekhenhejv ID: vvuficteuult
[pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK


The urllist parameter has been changed and is not equal to the pam file.

Does anybody know of this problems or what I misconfigured?

I use Ubuntu 12.04 and the offical yubico ppa packages.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group