rossnick wrote:
If I change the sufficient for required, I see :
# ssh rossnick@localhost
Yubikey for `rossnick':
Password:
Read from remote host localhost: Connection reset by peer
Connection to localhost closed.
Logs show me that the yubikey auth worked, and see this :
sshd[31293]: Accepted keyboard-interactive/pam for rossnick from 127.0.0.1 port 42127 ssh2
sshd[31293]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
in my secure log.
I have ChallengeResponseAuthentication, PasswordAuthentication and UsePAM at yes in my sshd config file. If ChallengeResponseAuthentication is set to no, I did not get a prompt for the yubikey at all.
I have _exactly_ this problem on Ubuntu 10.10. I've compiled the yubico lib and pam lib from the latest git source.
I set up as per the instructions but if I set "auth required" in my pam.d/sshd file and log in, I get the yubikey prompt... followed by my password prompt.. but the second I type in my password I get disconnected and the following error shows up in my /var/log/auth.log:
Mar 3 10:15:47 ************ sshd[7537]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
If I change it to "auth sufficient" in the pam.d/sshd file then it works fine I can log in no problems with just the yubikey and no password prompt. I don't _mind_ using the yubikey as my only auth.. but I would _much_ rather have the two factor of my PW + the yubikey.
Any suggestions as to why this is dying with the required option?
Login
FAQ
Search
