Hi
I just get my yubikey, and I would like to know if it's possible to have a 3 step identification :
- login (not always a dependant step, because the ssh client could tacitly send the username)
- Password
- OTP
Currently, my yubikey
is working great with yubico-pam on a debian stable, but, the OTP has to be concatenate with the password (I enter my username, press enter, enter my password, press the yubikey).
I'm using :
- Debian stable (5.0.8)
- OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010
- Ykclient 2.3
- pam-yubiko 2.5
- in /etc/pam.d/sshd :
Code:
auth required pam_yubico.so id=<myID> key=<myKey> debug authfile=/etc/yubikey_mappings
- In /etc/yubikey_mappings :
<myusername>:<Token ID>
- In /etc/pam.d/common-auth :
Code:
auth [success=1 default=ignore] pam_unix.so nullok_secure debug try_first_pass
- In /etc/ssh/sshd_config :
Code:
PasswordAuthentication yes
ChallengeResponseAuthentication no
I try to set
Code:
ChallengeResponseAuthentication yes
The ssh login ask my credential in 3 step .. but it's not working :
Code:
meepmeep@Marvin:~$ ssh dev.box
Yubikey for `meepmeep':
Password:
Read from remote host dev.box: Connection reset by peer
Connection to dev.box closed.
debug file :
Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: <YUBIKEY-TOKEN-ID>vcutccutjtggbgnjjcgjbjlncudivkvl
[pam_yubico.c:pam_sm_authenticate(558)] OTP: <YUBIKEY-TOKEN-ID>vcutccutjtggbgnjjcgjbjlncudivkvl ID: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:<YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/<YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: -1216685976
Finally, I try to put the line
Code:
auth required pam_yubico.so id=<myID> key=<myKey> debug authfile=/etc/yubikey_mappings
at the end of the /etc/pam.d/sshd (so the OTP is ask after my password), I get the same error on the client side (connection closed), and I get this debug file :
Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: <YUBIKEY-TOKEN-ID>flcrldfivfhbgdelulijvkcljudvgbll
[pam_yubico.c:pam_sm_authenticate(558)] OTP: <YUBIKEY-TOKEN-ID>flcrldfivfhbgdelulijvkcljudvgbll ID: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:<YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/<YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: 0
(the last "retval" is different, but I don't know what it means !)
I'm open to any idea
Login
FAQ
Search
