Yubico Forum https://forum.yubico.com/ |
|
YKVAL+YKKSM+YKPAM+LDAP -> "BAD_SERVER_SIGNATURE" https://forum.yubico.com/viewtopic.php?f=5&t=2475 |
Page 1 of 1 |
Author: | oyla [ Thu Nov 03, 2016 4:10 pm ] |
Post subject: | YKVAL+YKKSM+YKPAM+LDAP -> "BAD_SERVER_SIGNATURE" |
I run Ubuntu 14.04. I've installed the KSM and VAL services and managed to get them to work with ykclient from the client. I've also tested LDAP by using the YubiCloud service for one of my keys, in which the PAM module looked up the Yubikey ID for each user using the standard Yubikey LDAP schema from https://github.com/mludvig/yubikey-ldap. This authentication methid worked. ykclient is perfectly capable of validating keys and KSM and VAL are working as intended. However I can not make yubico_pam.so authenticate using the same parameters as I use for ykclient when I combine VAL verification and LDAP lookups. I am convinced the fault here is not in the LDAP end of things, but rather in (another) undocumented feature of the KSM/VAL chain. I use this line in /etc/pam.d/sshd: Code: auth required pam_yubico.so id=1 key=<generated with ykgen-client> = urllist=http://<url verified with ykclient> ldap_uri=ldap://<ldap-server> ldapdn=<dn> user_attr=cn yubi_attr=yubiKeyId token_id_length=12 ldapcacertfile=/<working cafile> mode=client debug The debug log outputs this for an attempted authentication: Code: [../pam_yubico.c:parse_cfg(761)] called. [../pam_yubico.c:parse_cfg(762)] flags 1 argc 11 [../pam_yubico.c:parse_cfg(764)] argv[0]=id=1 [../pam_yubico.c:parse_cfg(764)] argv[1]=key=<keystring> [../pam_yubico.c:parse_cfg(764)] argv[2]=urllist=<VAL server> [../pam_yubico.c:parse_cfg(764)] argv[3]=ldap_uri=<ldapuri> [../pam_yubico.c:parse_cfg(764)] argv[4]=ldapdn=<mydn> [../pam_yubico.c:parse_cfg(764)] argv[5]=user_attr=cn [../pam_yubico.c:parse_cfg(764)] argv[6]=yubi_attr=yubiKeyId [../pam_yubico.c:parse_cfg(764)] argv[7]=token_id_length=12 [../pam_yubico.c:parse_cfg(764)] argv[8]=ldapcacertfile=<ldap-cafile> [../pam_yubico.c:parse_cfg(764)] argv[9]=mode=client [../pam_yubico.c:parse_cfg(764)] argv[10]=debug [../pam_yubico.c:parse_cfg(765)] id=1 [../pam_yubico.c:parse_cfg(766)] key=<keystring> [../pam_yubico.c:parse_cfg(767)] debug=1 [../pam_yubico.c:parse_cfg(768)] alwaysok=0 [../pam_yubico.c:parse_cfg(769)] verbose_otp=0 [../pam_yubico.c:parse_cfg(770)] try_first_pass=0 [../pam_yubico.c:parse_cfg(771)] use_first_pass=0 [../pam_yubico.c:parse_cfg(772)] authfile=(null) [../pam_yubico.c:parse_cfg(773)] ldapserver=(null) [../pam_yubico.c:parse_cfg(774)] ldap_uri=ldap://<ldap-server> [../pam_yubico.c:parse_cfg(775)] ldapdn=<dn> [../pam_yubico.c:parse_cfg(776)] user_attr=cn [../pam_yubico.c:parse_cfg(777)] yubi_attr=yubiKeyId [../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null) [../pam_yubico.c:parse_cfg(779)] url=(null) [../pam_yubico.c:parse_cfg(780)] capath=(null) [../pam_yubico.c:parse_cfg(781)] token_id_length=12 [../pam_yubico.c:parse_cfg(782)] mode=client [../pam_yubico.c:parse_cfg(783)] chalresp_path=(null) [../pam_yubico.c:pam_sm_authenticate(823)] get user returned: oyla [../pam_yubico.c:pam_sm_authenticate(929)] conv returned 56 bytes [../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 12 bytes. Length is 56, token_id set to 12 and token OTP always 32. [../pam_yubico.c:pam_sm_authenticate(954)] OTP: <full key> ID: <public part> [../pam_yubico.c:pam_sm_authenticate(969)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK [../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (107): Server response signature was invalid (BAD_SERVER_SIGNATURE) [../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication service cannot retrieve authentication info] ^C I find it rather odd that ykclient works while the PAM module does not. The values are all the same. I tried the Ubuntu-supplied PAM module from APT as well as building my own from Git, with no luck. Any idea where to start? I didn't even know there was a server key to begin with, but then again, this wouldn't be my first time being surprised at something missing from the Yubico docs. Thanks for any input. |
Author: | oyla [ Thu Nov 03, 2016 5:32 pm ] |
Post subject: | Re: YKVAL+YKKSM+YKPAM+LDAP -> "BAD_SERVER_SIGNATURE" |
Digging further, I only now notice (I blame a full brain) that only ykclient runs show up in the ykval server access logs - the PAM module does not even contact the validation server at all. Tcpdump comparing ykclient vs. PAM module runs further confirm this. I am at this point somewhat less than favourably impressed at the logging facilities of the PAM module. |
Author: | oyla [ Fri Nov 04, 2016 1:03 pm ] |
Post subject: | Re: YKVAL+YKKSM+YKPAM+LDAP -> "BAD_SERVER_SIGNATURE" |
Scratching the test client and starting from zero again fixed it nicely. Probably some residual state somewhere from hours of experimenting. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |