I have tried to setup the configuration I spoke of before.
It would seam that PubkeyAuthentication within openssh currently overrides any other authentication methods so to accomplish what I want would likely require a patch to openssh which I don't have the expertise to wright my self.
So forgoing that for the time it would seem I can leave PubkeyAuthentication enabled and must ensure my client is not using pageant if putty or I am using -a with ssh if I have a key loaded locally with ssh-add/ssh-agent to get the prompt:
Yubikey for `coniptor':
I've read conflicting information in a couple of posts concerning this.
I'm running Debian Etch with the latest errata/security updates applied.
I had to modify /etc/pam.d/ssh not /etc/pam.d/sshd for Debian.
I had to ENABLE: "ChallengeResponseAuthentication yes" in /etc/ssh/sshd_config to get the Yubikey prompt listed above.
Regardless of if I have PasswordAuthentication set to no or yes I am unable to authenticate at the Yubikey prompt and this applies whether or not PubkeyAuthentication is enabled or disabled in sshd_config.
Again to note I DO NOT want PasswordAuthentication enabled EVER and would be quite content and happy if pam_yubico.so didn't try to do ANYTHING AT ALL with /etc/shadow.
I do not want /etc/shadow on my system checked during login unless I'm at the physical console.
I have the id= set to what my client id is listed as at the api.yubico.com site once logged in.
I have my yubikey id set in /etc/yubikeyid and in ~/.yubico/authorized_yubikeys for my normal login.
I have tried authentication with /etc/yubikeyid and .yubico/authorized_yubikeys readable only by user and by ugo without success.
I have both auth required lines enabled in /etc/pam.d/ssh for admin and regular access and have also tried it with just admin and just user enabled still with no success.
If I ssh in with Pubkey auth I do not get a debug message on my regular account login but receive two debug messages in a row when I ssh from my regular account to my root account like below:
[pam_yubico.c:pam_sm_setcred(561)] called.
[pam_yubico.c:pam_sm_setcred(561)] called.
Which is not completely helpfull.
In addition /var/run/pam-debug.log which has user group and world/other read write never shows ANY changes still zero length.
I have verifed with tshark that my system is even trying to validate at the url:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s
which it is so I know the pam_yubico.so library is contacting the site for authentication and not being validated.
I would sincerely appreciate help from anyone else who has managed to get this working in Debian.
Thanks in advance to anyone who can help.
