Oh.
Didn't know to put the OTP in the regular password field. When I was first setting it up it would ask me for the OTP on a separate login section. That's why I was confused. But, it's all working now. Thanks again!
| Yubico Forum https://forum.yubico.com/ |
|
| Yubico PAM Module issues https://forum.yubico.com/viewtopic.php?f=5&t=594 |
Page 1 of 1 |
| Author: | exiva [ Mon Nov 08, 2010 8:59 pm ] |
| Post subject: | Yubico PAM Module issues |
I'm trying to setup my Yubikey on a test VMWare Image. It's Ubuntu 10.10... Code: $ uname -a Linux ubuntu 2.6.35-22-server #33-Ubuntu SMP Sun Sep 19 20:48:58 UTC 2010 x86_64 GNU/Linux I've edited the following files. /etc/pam.d/sshd Code: # PAM configuration for the Secure Shell service # YubiKey Configuration auth required pam_yubico.so id=16 debug # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password /etc/ssh/sshd_config Code: # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication yes # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes Using this config, in the /var/run/pam-debug.txt I can see my yubico authenticates against the server fine. /var/run/pam-debug.txt Code: [pam_yubico.c:parse_cfg(404)] called. [pam_yubico.c:parse_cfg(405)] flags 1 argc 2 [pam_yubico.c:parse_cfg(407)] argv[0]=id=16 [pam_yubico.c:parse_cfg(407)] argv[1]=debug [pam_yubico.c:parse_cfg(408)] id=16 [pam_yubico.c:parse_cfg(409)] key=(null) [pam_yubico.c:parse_cfg(410)] debug=1 [pam_yubico.c:parse_cfg(411)] alwaysok=0 [pam_yubico.c:parse_cfg(412)] verbose_otp=0 [pam_yubico.c:parse_cfg(413)] try_first_pass=0 [pam_yubico.c:parse_cfg(414)] use_first_pass=0 [pam_yubico.c:parse_cfg(415)] authfile=(null) [pam_yubico.c:parse_cfg(416)] ldapserver=(null) [pam_yubico.c:parse_cfg(417)] ldap_uri=(null) [pam_yubico.c:parse_cfg(418)] ldapdn=(null) [pam_yubico.c:parse_cfg(419)] user_attr=(null) [pam_yubico.c:parse_cfg(420)] yubi_attr=(null) [pam_yubico.c:pam_sm_authenticate(452)] get user returned: exiva [pam_yubico.c:pam_sm_authenticate(542)] conv returned: xyz [pam_yubico.c:pam_sm_authenticate(558)] OTP: xyz ID: xyz [pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success [pam_yubico.c:check_user_token(117)] Authorization line: exiva:xyz [pam_yubico.c:check_user_token(121)] Matched user: exiva [pam_yubico.c:check_user_token(125)] Authorization token: xyz [pam_yubico.c:check_user_token(128)] Match user/token as exiva/xyz [pam_yubico.c:pam_sm_authenticate(625)] done. [Success] But, my system kicks me out. Code: [Travis-MacBook-Pro:~] travis% ssh exiva@192.168.1.110 Yubikey for `exiva': Password: Read from remote host 192.168.1.110: Connection reset by peer Connection to 192.168.1.110 closed. and throws in my /var/log/auth.log Code: Nov 7 06:18:18 ubuntu sshd[15762]: Accepted keyboard-interactive/pam for exiva from 192.168.1.35 port 54179 ssh2 Nov 7 06:18:18 ubuntu sshd[15762]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials I'm not sure what I'm missing, or what part I've skipped. But maybe someone has run into this issue before? |
|
| Author: | samir [ Thu Nov 11, 2010 11:45 am ] |
| Post subject: | Re: Yubico PAM Module issues |
Please follow steps below to fix this:
2) Append try_first_pass parameter to the pam_unix.so module to authenticate the user with password passed from the preceding auth module. 3) The /etc/pam.d/common-auth looks like below after editing: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_unix.so try_first_pass nullok_secure debug b) /etc/ssh/sshd_config Edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from line 47 of “/etc/ssh/sshd_config” Please note that this configuration is from a Debian system but we hope this should work with the Ubuntu as well. We hope this helps! |
|
| Author: | exiva [ Thu Nov 11, 2010 12:04 pm ] |
| Post subject: | Re: Yubico PAM Module issues |
I've done the following: edited /etc/ssh/sshd_config Code: # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes and edited /etc/pam.d/common-auth Code: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so try_first_pass nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config Now it won't even ask me for the yubico password, it just asks for my unix login, and says it's wrong while dumping this into auth.log /var/log/auth.log Code: Nov 11 05:57:19 ubuntu sshd[1104]: Failed password for exiva from 192.168.1.35 port 61928 ssh2
|
|
| Author: | samir [ Thu Nov 11, 2010 3:17 pm ] |
| Post subject: | Re: Yubico PAM Module issues |
When the SSH daemon asks for the password, you need to first provide your password and then append the YubiKey OTP. So, when you try to login through SSH, first provide your username and press enter. At the password prompt, first provide your password and then append the YubiKey OTP to the password, press enter and try to log-in. We hope this helps! |
|
| Author: | exiva [ Thu Nov 11, 2010 10:38 pm ] |
| Post subject: | Re: Yubico PAM Module issues |
Previously the login method would be... [Travis-MacBook-Pro:~] travis% ssh exiva@192.168.1.110 Yubikey for `exiva': Password: Read from remote host 192.168.1.110: Connection reset by peer Connection to 192.168.1.110 closed. Now it's just [Travis-La-Marrs-MacBook-Pro:~] travis% ssh exiva@192.168.1.110 exiva@192.168.1.110's password: Permission denied, please try again. |
|
| Author: | samir [ Thu Nov 18, 2010 6:54 am ] |
| Post subject: | Re: Yubico PAM Module issues |
We installed and configured the Yubico PAM module on Ubuntu 10.10 server 64 bit edition for ssh access and we were able to successfully login to the server through SSH using a YubiKey. Here is our configuration:
Code: # Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes 2) /etc/pam.d/sshd: Code: # PAM configuration for the Secure Shell service # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_yubico.so id=4233 key=H9xX7BeTIbhYK3xCb/PSEeRVNvY= authfile=/etc/yubikeyid debug auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Un*x authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Un*x authorization. @include common-account # Standard Un*x session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Un*x password updating. @include common-password 3) /etc/pam.d/common-auth: Code: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so try_first_pass nullok_secure debug # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config From your sshd_config file, just remove the comment from PasswordAuthentication yes so that this setting can be processed by the sshd daemon. We hope this helps! |
|
| Author: | exiva [ Thu Nov 18, 2010 8:05 am ] |
| Post subject: | Re: Yubico PAM Module issues |
Thank you for your help, samir. I've done the following and can't get a login. Started fresh Ubuntu 10.10 64bit. Enabled SSH in the initial setup screens. apt-get install autoconf apt-get install libtool apt-get install libcurl4-openssl-dev $ wget http://yubico-c-client.googlecode.com/f ... 2.3.tar.gz $ tar -zxvf ykclient-2.3.tar.gz $ autoreconf --install $ ./configure $ sudo make check install $ wget http://yubico-pam.googlecode.com/files/ ... 2.5.tar.gz $ tar -zxvf pam_yubico-2.5.tar.gz $ autoreconf --install $ ./confgure $ sudo apt-get install libpam-dev $ ./configure $ sudo make check install $ sudo cp /usr/local/lib/security/pam_yubico.so /lib/security/ $ sudo nano /etc/pam.d/common-auth Edit line 17 Change auth [success=1 default=ignore] pam_unix.so nullok_secure to auth [success=1 default=ignore] pam_unix.so try_first_pass nullok_secure debug Save, exit. $ sudo nano /etc/pam.d/sshd add auth required pam_yubico.so id=1234 key=xyz authfile=/etc/yubikeyid debug to the beginning of the file save, exit $ sudo nano /etc/ssh/sshd_config Copypasted the sshd_config from the post above. $ sudo /etc/yubikeyid add exiva:vvfgjxxxxxxx save,exit $ sudo /etc/init.d/ssh restart $ touch /var/run/pam-debug.log $ chmod go+w /var/run/pam-debug.log $ tail -f /var/run/pam-debug.log Results in: [Travis-MacBook-Pro:~] travis% ssh exiva@192.168.1.110 exiva@192.168.1.110's password: testingpassword Permission denied, please try again. With Code: [pam_yubico.c:parse_cfg(404)] called. [pam_yubico.c:parse_cfg(405)] flags 1 argc 4 [pam_yubico.c:parse_cfg(407)] argv[0]=id=1234 [pam_yubico.c:parse_cfg(407)] argv[1]=key=xyz [pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikeyid [pam_yubico.c:parse_cfg(407)] argv[3]=debug [pam_yubico.c:parse_cfg(408)] id=1234 [pam_yubico.c:parse_cfg(409)] key=xyz [pam_yubico.c:parse_cfg(410)] debug=1 [pam_yubico.c:parse_cfg(411)] alwaysok=0 [pam_yubico.c:parse_cfg(412)] verbose_otp=0 [pam_yubico.c:parse_cfg(413)] try_first_pass=0 [pam_yubico.c:parse_cfg(414)] use_first_pass=0 [pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikeyid [pam_yubico.c:parse_cfg(416)] ldapserver=(null) [pam_yubico.c:parse_cfg(417)] ldap_uri=(null) [pam_yubico.c:parse_cfg(418)] ldapdn=(null) [pam_yubico.c:parse_cfg(419)] user_attr=(null) [pam_yubico.c:parse_cfg(420)] yubi_attr=(null) [pam_yubico.c:pam_sm_authenticate(452)] get user returned: exiva [pam_yubico.c:pam_sm_authenticate(542)] conv returned: testingpassword [pam_yubico.c:pam_sm_authenticate(550)] OTP too short: testingpassword [pam_yubico.c:pam_sm_authenticate(625)] done. [Authentication failure] in the pam-debug file. It seems to be passing my linux password over to the yubico module. (Of course I don't have my ID, key, and yubico ID set to random values.) |
|
| Author: | samir [ Thu Nov 18, 2010 1:41 pm ] |
| Post subject: | Re: Yubico PAM Module issues |
From the PAM debug file, it seems that you are not providing the YubiKey OTP after your password. For testing we have created a user "test" with password "test". We tried to login to the server as follows: Code: # ssh test@testserver test@testserver's password:testvvkruhcbfvrefbjfgdttjcncujhfeehjdigrdrktfebj Linux ubuntu 2.6.35-22-server #35-Ubuntu SMP Sat Oct 16 22:02:33 UTC 2010 x86_64 GNU/Linux Ubuntu 10.10 Welcome to the Ubuntu Server! * Documentation: http://www.ubuntu.com/server/doc The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Nov 18 18:13:22 2010 from Could not chdir to home directory /home/test: No such file or directory $ Here is the PAM log file, when we successfully logged into the server through SSH using a YubiKey: Code: [pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4 [pam_yubico.c:parse_cfg(407)] argv[0]=id=4233 [pam_yubico.c:parse_cfg(407)] argv[1]=key=H9xX7BeTIbhYK3xCb/PSEeRVNvY= [pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikeyid [pam_yubico.c:parse_cfg(407)] argv[3]=debug [pam_yubico.c:parse_cfg(408)] id=4233 [pam_yubico.c:parse_cfg(409)] key=H9xX7BeTIbhYK3xCb/PSEeRVNvY= [pam_yubico.c:parse_cfg(410)] debug=1 [pam_yubico.c:parse_cfg(411)] alwaysok=0 [pam_yubico.c:parse_cfg(412)] verbose_otp=0 [pam_yubico.c:parse_cfg(413)] try_first_pass=0 [pam_yubico.c:parse_cfg(414)] use_first_pass=0 [pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikeyid [pam_yubico.c:parse_cfg(416)] ldapserver=(null) [pam_yubico.c:parse_cfg(417)] ldap_uri=(null) [pam_yubico.c:parse_cfg(418)] ldapdn=(null) [pam_yubico.c:parse_cfg(419)] user_attr=(null) [pam_yubico.c:parse_cfg(420)] yubi_attr=(null) [pam_yubico.c:pam_sm_authenticate(452)] get user returned: test [pam_yubico.c:pam_sm_authenticate(542)] conv returned: testvvkruhcbfvrefbjfgdttjcncujhfeehjdigrdrktfebj [pam_yubico.c:pam_sm_authenticate(558)] OTP: vvkruhcbfvrefbjfgdttjcncujhfeehjdigrdrktfebj ID: vvkruhcbfvre [pam_yubico.c:pam_sm_authenticate(567)] Password: test [pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success [pam_yubico.c:check_user_token(117)] Authorization line: test:vvkruhcbfvre [pam_yubico.c:check_user_token(121)] Matched user: test [pam_yubico.c:check_user_token(125)] Authorization token: vvkruhcbfvre [pam_yubico.c:check_user_token(128)] Match user/token as test/vvkruhcbfvre [pam_yubico.c:pam_sm_authenticate(625)] done. [Success] |
|
| Author: | exiva [ Thu Nov 18, 2010 9:17 pm ] |
| Post subject: | Re: Yubico PAM Module issues |
Oh. Didn't know to put the OTP in the regular password field. When I was first setting it up it would ask me for the OTP on a separate login section. That's why I was confused. But, it's all working now. Thanks again!
|
|
| Author: | cdrescher [ Fri May 12, 2017 10:40 am ] |
| Post subject: | Re: Yubico PAM Module issues |
Hey guys How can I make the yubikey pam module logging my used otp? I don't get the pam yubikey debug information at all. Only the usual sshd debug information. Thank you in advance. Cheers, Chris |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|