Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:50 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: Yubico PAM Module issues
PostPosted: Mon Nov 08, 2010 8:59 pm 
Offline

Joined: Fri Nov 05, 2010 10:47 pm
Posts: 5
I'm trying to setup my Yubikey on a test VMWare Image.

It's Ubuntu 10.10...
Code:
$ uname -a
Linux ubuntu 2.6.35-22-server #33-Ubuntu SMP Sun Sep 19 20:48:58 UTC 2010 x86_64 GNU/Linux

I've edited the following files.

/etc/pam.d/sshd
Code:
# PAM configuration for the Secure Shell service

# YubiKey Configuration
auth   required   pam_yubico.so id=16 debug

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password


/etc/ssh/sshd_config
Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile   %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication yes

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


Using this config, in the /var/run/pam-debug.txt I can see my yubico authenticates against the server fine.

/var/run/pam-debug.txt
Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 2
[pam_yubico.c:parse_cfg(407)] argv[0]=id=16
[pam_yubico.c:parse_cfg(407)] argv[1]=debug
[pam_yubico.c:parse_cfg(408)] id=16
[pam_yubico.c:parse_cfg(409)] key=(null)
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=(null)
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: exiva
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: xyz
[pam_yubico.c:pam_sm_authenticate(558)] OTP: xyz ID: xyz
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: exiva:xyz
[pam_yubico.c:check_user_token(121)] Matched user: exiva
[pam_yubico.c:check_user_token(125)] Authorization token: xyz
[pam_yubico.c:check_user_token(128)] Match user/token as exiva/xyz
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]


But, my system kicks me out.
Code:
[Travis-MacBook-Pro:~] travis% ssh exiva@192.168.1.110
Yubikey for `exiva':
Password:
Read from remote host 192.168.1.110: Connection reset by peer
Connection to 192.168.1.110 closed.

and throws in my /var/log/auth.log
Code:
Nov  7 06:18:18 ubuntu sshd[15762]: Accepted keyboard-interactive/pam for exiva from 192.168.1.35 port 54179 ssh2
Nov  7 06:18:18 ubuntu sshd[15762]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials


I'm not sure what I'm missing, or what part I've skipped. But maybe someone has run into this issue before?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Nov 11, 2010 11:45 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Please follow steps below to fix this:

    a) /etc/pam.d/common-auth:

      1) Edit /etc/pam.d/common-auth
      2) Append try_first_pass parameter to the pam_unix.so module to authenticate the user with password passed from the preceding auth module.
      3) The /etc/pam.d/common-auth looks like below after editing:

      #
      # /etc/pam.d/common-auth - authentication settings common to all services
      #
      # This file is included from other service-specific PAM config files,
      # and should contain a list of the authentication modules that define
      # the central authentication scheme for use on the system
      # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
      # traditional Unix authentication mechanisms.
      #
      auth required pam_unix.so try_first_pass nullok_secure debug

    b) /etc/ssh/sshd_config

    Edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from line 47 of “/etc/ssh/sshd_config”

Please note that this configuration is from a Debian system but we hope this should work with the Ubuntu as well.

We hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 11, 2010 12:04 pm 
Offline

Joined: Fri Nov 05, 2010 10:47 pm
Posts: 5
I've done the following:

edited /etc/ssh/sshd_config
Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile   %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


and

edited /etc/pam.d/common-auth
Code:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
auth   [success=1 default=ignore]   pam_unix.so try_first_pass nullok_secure
# here's the fallback if no module succeeds
auth   requisite         pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth   required         pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config


Now it won't even ask me for the yubico password, it just asks for my unix login, and says it's wrong while dumping this into auth.log

/var/log/auth.log
Code:
Nov 11 05:57:19 ubuntu sshd[1104]: Failed password for exiva from 192.168.1.35 port 61928 ssh2


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 11, 2010 3:17 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
When the SSH daemon asks for the password, you need to first provide your password and then append the YubiKey OTP.

So, when you try to login through SSH, first provide your username and press enter. At the password prompt, first provide your password and then append the YubiKey OTP to the password, press enter and try to log-in.

We hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 11, 2010 10:38 pm 
Offline

Joined: Fri Nov 05, 2010 10:47 pm
Posts: 5
Previously the login method would be...

[Travis-MacBook-Pro:~] travis% ssh exiva@192.168.1.110
Yubikey for `exiva':
Password:
Read from remote host 192.168.1.110: Connection reset by peer
Connection to 192.168.1.110 closed.

Now it's just

[Travis-La-Marrs-MacBook-Pro:~] travis% ssh exiva@192.168.1.110
exiva@192.168.1.110's password:
Permission denied, please try again.


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 18, 2010 6:54 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
We installed and configured the Yubico PAM module on Ubuntu 10.10 server 64 bit edition for ssh access and we were able to successfully login to the server through SSH using a YubiKey.

Here is our configuration:

    1) /etc/ssh/sshd_config:

    Code:
    # Package generated configuration file
    # See the sshd_config(5) manpage for details

    # What ports, IPs and protocols we listen for
    Port 22
    # Use these options to restrict which interfaces/protocols sshd will bind to
    #ListenAddress ::
    #ListenAddress 0.0.0.0
    Protocol 2
    # HostKeys for protocol version 2
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_dsa_key
    #Privilege Separation is turned on for security
    UsePrivilegeSeparation yes

    # Lifetime and size of ephemeral version 1 server key
    KeyRegenerationInterval 3600
    ServerKeyBits 768

    # Logging
    SyslogFacility AUTH
    LogLevel INFO

    # Authentication:
    LoginGraceTime 120
    PermitRootLogin yes
    StrictModes yes

    RSAAuthentication yes
    PubkeyAuthentication yes
    #AuthorizedKeysFile     %h/.ssh/authorized_keys

    # Don't read the user's ~/.rhosts and ~/.shosts files
    IgnoreRhosts yes
    # For this to work you will also need host keys in /etc/ssh_known_hosts
    RhostsRSAAuthentication no
    # similar for protocol version 2
    HostbasedAuthentication no
    # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
    #IgnoreUserKnownHosts yes

    # To enable empty passwords, change to yes (NOT RECOMMENDED)
    PermitEmptyPasswords no

    # Change to yes to enable challenge-response passwords (beware issues with
    # some PAM modules and threads)
    ChallengeResponseAuthentication no

    # Change to no to disable tunnelled clear text passwords
    PasswordAuthentication yes

    # Kerberos options
    #KerberosAuthentication no
    #KerberosGetAFSToken no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes

    # GSSAPI options
    #GSSAPIAuthentication no

    X11Forwarding yes
    X11DisplayOffset 10
    PrintMotd no
    PrintLastLog yes
    TCPKeepAlive yes
    #UseLogin no

    #MaxStartups 10:30:60
    #Banner /etc/issue.net

    # Allow client to pass locale environment variables
    AcceptEnv LANG LC_*

    Subsystem sftp /usr/lib/openssh/sftp-server

    # Set this to 'yes' to enable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication.  Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes
                                   


    2) /etc/pam.d/sshd:

    Code:
    # PAM configuration for the Secure Shell service

    # Read environment variables from /etc/environment and
    # /etc/security/pam_env.conf.

    auth required pam_yubico.so id=4233 key=H9xX7BeTIbhYK3xCb/PSEeRVNvY= authfile=/etc/yubikeyid debug



    auth       required     pam_env.so # [1]
    # In Debian 4.0 (etch), locale-related environment variables were moved to
    # /etc/default/locale, so read that as well.
    auth       required     pam_env.so envfile=/etc/default/locale

    # Standard Un*x authentication.
    @include common-auth

    # Disallow non-root logins when /etc/nologin exists.
    account    required     pam_nologin.so

    # Uncomment and edit /etc/security/access.conf if you need to set complex
    # access limits that are hard to express in sshd_config.
    # account  required     pam_access.so

    # Standard Un*x authorization.
    @include common-account

    # Standard Un*x session setup and teardown.
    @include common-session

    # Print the message of the day upon successful login.
    session    optional     pam_motd.so # [1]

    # Print the status of the user's mailbox upon successful login.
    session    optional     pam_mail.so standard noenv # [1]

    # Set up user limits from /etc/security/limits.conf.
    session    required     pam_limits.so

    # Set up SELinux capabilities (need modified pam)
    # session  required     pam_selinux.so multiple

    # Standard Un*x password updating.
    @include common-password


    3) /etc/pam.d/common-auth:

    Code:
    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
    # traditional Unix authentication mechanisms.
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules.  See
    # pam-auth-update(8) for details.

    # here are the per-package modules (the "Primary" block)
    auth    [success=1 default=ignore]      pam_unix.so try_first_pass nullok_secure debug
    # here's the fallback if no module succeeds
    auth    requisite                       pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    auth    required                        pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    # end of pam-auth-update config


From your sshd_config file, just remove the comment from PasswordAuthentication yes so that this setting can be processed by the sshd daemon.

We hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 18, 2010 8:05 am 
Offline

Joined: Fri Nov 05, 2010 10:47 pm
Posts: 5
Thank you for your help, samir.

I've done the following and can't get a login.

Started fresh Ubuntu 10.10 64bit. Enabled SSH in the initial setup screens.

apt-get install autoconf
apt-get install libtool
apt-get install libcurl4-openssl-dev

$ wget http://yubico-c-client.googlecode.com/f ... 2.3.tar.gz
$ tar -zxvf ykclient-2.3.tar.gz
$ autoreconf --install
$ ./configure
$ sudo make check install


$ wget http://yubico-pam.googlecode.com/files/ ... 2.5.tar.gz
$ tar -zxvf pam_yubico-2.5.tar.gz
$ autoreconf --install
$ ./confgure
$ sudo apt-get install libpam-dev
$ ./configure
$ sudo make check install

$ sudo cp /usr/local/lib/security/pam_yubico.so /lib/security/
$ sudo nano /etc/pam.d/common-auth

Edit line 17

Change

auth [success=1 default=ignore] pam_unix.so nullok_secure
to
auth [success=1 default=ignore] pam_unix.so try_first_pass nullok_secure debug

Save, exit.

$ sudo nano /etc/pam.d/sshd

add

auth required pam_yubico.so id=1234 key=xyz authfile=/etc/yubikeyid debug

to the beginning of the file

save, exit

$ sudo nano /etc/ssh/sshd_config

Copypasted the sshd_config from the post above.

$ sudo /etc/yubikeyid
add exiva:vvfgjxxxxxxx
save,exit

$ sudo /etc/init.d/ssh restart
$ touch /var/run/pam-debug.log
$ chmod go+w /var/run/pam-debug.log
$ tail -f /var/run/pam-debug.log

Results in:

[Travis-MacBook-Pro:~] travis% ssh exiva@192.168.1.110
exiva@192.168.1.110's password: testingpassword
Permission denied, please try again.

With
Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=1234
[pam_yubico.c:parse_cfg(407)] argv[1]=key=xyz
[pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(407)] argv[3]=debug
[pam_yubico.c:parse_cfg(408)] id=1234
[pam_yubico.c:parse_cfg(409)] key=xyz
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: exiva
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: testingpassword
[pam_yubico.c:pam_sm_authenticate(550)] OTP too short: testingpassword
[pam_yubico.c:pam_sm_authenticate(625)] done. [Authentication failure]


in the pam-debug file.

It seems to be passing my linux password over to the yubico module. (Of course I don't have my ID, key, and yubico ID set to random values.)


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 18, 2010 1:41 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
From the PAM debug file, it seems that you are not providing the YubiKey OTP after your password.

For testing we have created a user "test" with password "test".

We tried to login to the server as follows:

Code:
# ssh test@testserver
test@testserver's password:testvvkruhcbfvrefbjfgdttjcncujhfeehjdigrdrktfebj
Linux ubuntu 2.6.35-22-server #35-Ubuntu SMP Sat Oct 16 22:02:33 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.10

Welcome to the Ubuntu Server!
 * Documentation:  http://www.ubuntu.com/server/doc

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Thu Nov 18 18:13:22 2010 from
Could not chdir to home directory /home/test: No such file or directory
$



Here is the PAM log file, when we successfully logged into the server through SSH using a YubiKey:

Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=4233
[pam_yubico.c:parse_cfg(407)] argv[1]=key=H9xX7BeTIbhYK3xCb/PSEeRVNvY=
[pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(407)] argv[3]=debug
[pam_yubico.c:parse_cfg(408)] id=4233
[pam_yubico.c:parse_cfg(409)] key=H9xX7BeTIbhYK3xCb/PSEeRVNvY=
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: test
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: testvvkruhcbfvrefbjfgdttjcncujhfeehjdigrdrktfebj
[pam_yubico.c:pam_sm_authenticate(558)] OTP: vvkruhcbfvrefbjfgdttjcncujhfeehjdigrdrktfebj ID: vvkruhcbfvre
[pam_yubico.c:pam_sm_authenticate(567)] Password: test
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: test:vvkruhcbfvre
[pam_yubico.c:check_user_token(121)] Matched user: test
[pam_yubico.c:check_user_token(125)] Authorization token: vvkruhcbfvre
[pam_yubico.c:check_user_token(128)] Match user/token as test/vvkruhcbfvre
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 18, 2010 9:17 pm 
Offline

Joined: Fri Nov 05, 2010 10:47 pm
Posts: 5
Oh. :roll: Didn't know to put the OTP in the regular password field. When I was first setting it up it would ask me for the OTP on a separate login section. That's why I was confused. But, it's all working now. Thanks again!


Top
 Profile  
Reply with quote  
PostPosted: Fri May 12, 2017 10:40 am 
Offline

Joined: Wed May 10, 2017 2:13 pm
Posts: 2
Hey guys

How can I make the yubikey pam module logging my used otp?
I don't get the pam yubikey debug information at all. Only the usual sshd debug information.

Thank you in advance.

Cheers,
Chris


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group