Hi there,
i set up PAM authentication with yubikey following this guide: http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM
It worked first, without setting a password for the specified client-ID (I think the guide is outdated in that point) but stopped working right now.
In the debug Output I see the following error:
Quote:
[pam_yubico.c:parse_cfg(437)] called.
[pam_yubico.c:parse_cfg(438)] flags 1 argc 4
[pam_yubico.c:parse_cfg(440)] argv[0]=id=MYID
[pam_yubico.c:parse_cfg(440)] argv[1]=key=MYKEY
[pam_yubico.c:parse_cfg(440)] argv[2]=authfile=/etc/yk_mapping
[pam_yubico.c:parse_cfg(440)] argv[3]=debug
[pam_yubico.c:parse_cfg(441)] id=MYID
[pam_yubico.c:parse_cfg(442)] key=MYKEY
[pam_yubico.c:parse_cfg(443)] debug=1
[pam_yubico.c:parse_cfg(444)] alwaysok=0
[pam_yubico.c:parse_cfg(445)] verbose_otp=0
[pam_yubico.c:parse_cfg(446)] try_first_pass=0
[pam_yubico.c:parse_cfg(447)] use_first_pass=0
[pam_yubico.c:parse_cfg(448)] authfile=/etc/yk_mapping
[pam_yubico.c:parse_cfg(449)] ldapserver=(null)
[pam_yubico.c:parse_cfg(450)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(451)] ldapdn=(null)
[pam_yubico.c:parse_cfg(452)] user_attr=(null)
[pam_yubico.c:parse_cfg(453)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(454)] url=(null)
[pam_yubico.c:parse_cfg(455)] capath=(null)
[pam_yubico.c:parse_cfg(456)] token_id_length=12
[pam_yubico.c:pam_sm_authenticate(489)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(582)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(600)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(607)] OTP: vvukhfbhndnctgbvjvgnliuviejujjkbfjklnucjbulg ID: vvukhfbhndnc
[pam_yubico.c:pam_sm_authenticate(617)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(633)] ykclient return value (3): Request signature was invalid (BAD_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(675)] done. [Authentication service cannot retrieve authentication info]
[pam_yubico.c:parse_cfg(438)] flags 1 argc 4
[pam_yubico.c:parse_cfg(440)] argv[0]=id=MYID
[pam_yubico.c:parse_cfg(440)] argv[1]=key=MYKEY
[pam_yubico.c:parse_cfg(440)] argv[2]=authfile=/etc/yk_mapping
[pam_yubico.c:parse_cfg(440)] argv[3]=debug
[pam_yubico.c:parse_cfg(441)] id=MYID
[pam_yubico.c:parse_cfg(442)] key=MYKEY
[pam_yubico.c:parse_cfg(443)] debug=1
[pam_yubico.c:parse_cfg(444)] alwaysok=0
[pam_yubico.c:parse_cfg(445)] verbose_otp=0
[pam_yubico.c:parse_cfg(446)] try_first_pass=0
[pam_yubico.c:parse_cfg(447)] use_first_pass=0
[pam_yubico.c:parse_cfg(448)] authfile=/etc/yk_mapping
[pam_yubico.c:parse_cfg(449)] ldapserver=(null)
[pam_yubico.c:parse_cfg(450)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(451)] ldapdn=(null)
[pam_yubico.c:parse_cfg(452)] user_attr=(null)
[pam_yubico.c:parse_cfg(453)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(454)] url=(null)
[pam_yubico.c:parse_cfg(455)] capath=(null)
[pam_yubico.c:parse_cfg(456)] token_id_length=12
[pam_yubico.c:pam_sm_authenticate(489)] get user returned: root
[pam_yubico.c:pam_sm_authenticate(582)] conv returned 53 bytes
[pam_yubico.c:pam_sm_authenticate(600)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(607)] OTP: vvukhfbhndnctgbvjvgnliuviejujjkbfjklnucjbulg ID: vvukhfbhndnc
[pam_yubico.c:pam_sm_authenticate(617)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(633)] ykclient return value (3): Request signature was invalid (BAD_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(675)] done. [Authentication service cannot retrieve authentication info]
Anyway, I correctly set up the pam config with a generated api id and key.
Can't get it to work any more
Here are some infos:
OS: OpenSUSE 11.4 (uname output: Linux 85-31-187-128 2.6.37.6-0.9-default #1 SMP 2011-10-19 22:33:27 +0200 x86_64 x86_64 x86_64 GNU/Linux)
Installed PAM module Version: 2.5.99_git201103140807
pam config:
Quote:
auth required pam_yubico.so id=<MYID> key=<MYKEY> authfile=/etc/yk_mapping debug
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
#%PAM-1.0
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
I'm using the online yubico validation service.
Hope you can help me!
Thanks in advance!
All the best,
Julian
