Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:01 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Jul 11, 2008 12:00 pm 
Offline

Joined: Thu Jul 10, 2008 11:01 pm
Posts: 2
I've got a few problems getting the PAM modules working. SSH seem to manage to authenticate but doesn't log in, FreeRadius just fails with everything (even with alwaysok). I am using Ubuntu for the tests (as I assumed that would be more compatible than Solaris - which is my next platform to test when I get this working...). I have tried both 1.6 and the SVN 1.7 pre-release.

Both seem to output this in my auth.log

Code:
Jul 11 10:13:07 htpc freeradius: PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
Jul 11 10:13:07 htpc freeradius: PAM adding faulty module: /lib/security/pam_yubico.so


Debug when using SSH - I can't get freeradius to create any debug (probably rejects the PAM):
Code:
[pam_yubico.c:pam_sm_authenticate(105)] called.
[pam_yubico.c:pam_sm_authenticate(106)] flags 1 argc 2
[pam_yubico.c:pam_sm_authenticate(108)] argv[0]=id=205
[pam_yubico.c:pam_sm_authenticate(108)] argv[1]=debug
[pam_yubico.c:pam_sm_authenticate(109)] id=205
[pam_yubico.c:pam_sm_authenticate(110)] debug=1
[pam_yubico.c:pam_sm_authenticate(111)] alwaysok=0
[pam_yubico.c:pam_sm_authenticate(122)] get user returned: olebakk
[pam_yubico.c:pam_sm_authenticate(132)] get password returned: (null)
[pam_yubico.c:pam_sm_authenticate(162)] conv returned: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[pam_yubico.c:pam_sm_authenticate(189)] libyubikey-client return value (0): Success
[pam_yubico.c:pam_sm_authenticate(210)] done. [Success]
[pam_yubico.c:pam_sm_setcred(221)] called.
[pam_yubico.c:pam_sm_setcred(246)] done. [Success]


Here is my FreeRadius log:
Code:
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <olebakk>. Reason: Module is unknown
  modcall[authenticate]: module "pam" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.


FYI: libyubikey-client seems to work just fine.

Any ideas?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Jul 11, 2008 6:49 pm 
Offline

Joined: Sat Jul 05, 2008 9:21 pm
Posts: 10
i'm trying to get the pam module working on etch, and am having problems there. 1.6 and 1.7 don't seem to authenticate (or even prompt), but logins fail when the yubico-pam module is enabled.

debugging doesn't seem to be working either. i've been beating on it for about a day now. did you do anything special to get straight pam without radius running?


Top
 Profile  
Reply with quote  
PostPosted: Sat Jul 12, 2008 6:34 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Folks,

Here are some of Yubikey PAM deployment cases with FreeRadius that works. Some requires a bit tweaking:

vpn/deployment_cases/

Thanks for comments

:geek:

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 23, 2008 5:42 pm 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
From http://code.google.com/p/yubico-pam/wiki/ReadMe
I copy Timm's solution here:

---
Use Yubikey for SSH login

http://code.google.com/p/yubico-pam/wiki/ReadMe

Comment by timm.tem, May 08, 2008

Follow exact same instructions but add

"auth sufficient pam_yubico.so id=16 debug" to

/etc/pam.d/ssh at the top!! and the edit /etc/ssh/sshd_config

and make sure that...

ChallengeResponseAuthentication? yes

UsePAM yes

Not required but good pratice

PermitRootLogin? no

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
PostPosted: Thu Jul 24, 2008 12:25 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
olebakk wrote:
Code:
Jul 11 10:13:07 htpc freeradius: PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
Jul 11 10:13:07 htpc freeradius: PAM adding faulty module: /lib/security/pam_yubico.so



Does your PAM library have the pam_set_data symbol? This seems like a weird error to me.

olebakk wrote:
Here is my FreeRadius log:
Code:
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <olebakk>. Reason: Module is unknown
  modcall[authenticate]: module "pam" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.



This error seems like it suggests a simple problem: you need a PAM module file "radiusd" or possibly "freeradius". Which name depends on what freeradius uses for PAM module. On my system, it uses "radiusd". So you will have to create a /etc/pam.d/radiusd with the proper PAM content (same as ssh file should work). Does this help?

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 19, 2009 2:41 pm 
Offline

Joined: Fri Jan 16, 2009 1:53 pm
Posts: 8
I too have this problem integrating with freeradius and pam
Code:
Jan 19 15:18:01 yubico freeradius: PAM unable to dlopen(/lib/security/pam_yubico.so)
Jan 19 15:18:01 yubico freeradius: PAM [dlerror: /lib/security/pam_yubico.so: undefined symbol: pam_get_item]
Jan 19 15:18:01 yubico freeradius: PAM adding faulty module: /lib/security/pam_yubico.so


I put this in /etc/pam.d/radiusd
Code:
auth required pam_yubico.so id=2 debug authfile=/etc/freeradius/yubico.mapping url=http://10.x.x.x:8180/wsapi/verify?id=%d&otp=%s


I "think" I followed the cookbook on the forum, but ... no luck.
Can someone give me a hint.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 20, 2009 7:13 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We would appreciate if you can provide us the following information so that we can try to identify the exact problem and provide a solution:

    1) Operating System details (including distribution, major and minor version, etc.)
    2) FreeRADIUS Server Version
    3) Yubico PAM Version
    4) FreeRADIUS Server Configuration file (radiusd.conf)
    5) FreeRADIUS Clients Configuration file (clients.conf)
    6) FreeRADIUS Users Configuration file (users)
    7) FreeRADIUS Server PAM Configuration file (/etc/pam.d/radiusd)
    8) SELinux Status (enforcing/permissive/disabled)


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 20, 2009 3:45 pm 
Offline

Joined: Fri Jan 16, 2009 1:53 pm
Posts: 8
I found a way to make it work :
Code:
export LD_PRELOAD=/lib/libpam.so.0.79

not very pretty, but it solves it for the moment.
could it be related with me using debian !?
Code:
Linux version 2.6.18-6-686 (Debian 2.6.18.dfsg.1-22) (dannf@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Tue Jun 17 21:31:27 UTC 2008

So it is just a part of the pam subsystem that is not loaded automagicly. I am not a developer, and not familiar with the pam setup, so - no clue at this time.

But I can continue testing !


Top
 Profile  
Reply with quote  
PostPosted: Fri Dec 18, 2009 4:23 pm 
Offline

Joined: Fri Nov 13, 2009 6:35 pm
Posts: 5
so, I realize this is an old topic but I am also having issues integrating PAM and FreeRadius.

I've followed everything in this thread (and searched the forums) but nothing seem to be working.

It looks like FreeRadius is having trouble loading the PAM module. I'm running FreeRadius from the command line so I can see the debug output. The following is the relevant output:

Code:
Info: Found Auth-Type = PAM
Fri Dec 18 10:14:48 2009 : Info: +- entering group authenticate {...}
Fri Dec 18 10:14:48 2009 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Fri Dec 18 10:14:48 2009 : Debug: pam_pass: function pam_authenticate FAILED for <yubikey>. Reason: Module is unknown
Fri Dec 18 10:14:48 2009 : Info: ++[pam] returns reject
Fri Dec 18 10:14:48 2009 : Info: Failed to authenticate the user.


and here is my radiusd file in /etc/pam.d

Code:
auth required /lib/security/pam_yubico.so id=1 debug key=eraser authfile=/etc/freeradius/yubiauthfile.map url=http://yubikey/yubico/validation/ykval-verify?id=%d&otp=%s


If I change 'required' to 'sufficient' instead of 'module is unknown' I get "permission denied". If I replace the yubikey module with the pam_unix module radius authenticates just fine using the regular user password.

I can test my validation server manually and it seems to work. I have also configured SSH to use the exact same yubikey PAM with relatively no issues. I've got pam spitting out debug messages and I see it appending output when I ssh but not when I use 'radtest'

does anybody know what is going on?


Top
 Profile  
Reply with quote  
PostPosted: Fri Dec 18, 2009 4:44 pm 
Offline

Joined: Fri Nov 13, 2009 6:35 pm
Posts: 5
as for all of the information requested by network-marvels:

1) OS: Ubuntu 9.10
2) FreeRADIUS Version 2.1.0
3) Yubico PAM: 2.2
4-6) The files are way too large to paste in here and the forum system won't allow me to upload them (it doesn't like the .conf or .txt file extension). Should I just paste them in here or is there a better way?
7)
Code:
auth required pam_yubico.so id=2 debug authfile=/etc/freeradius/yubico.mapping url=http://10.x.x.x:8180/wsapi/verify?id=%d&otp=%s

8)SELinux status: disabled


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group