Yubico Forum
https://forum.yubico.com/

SSH authentication with 3 step (login/passwd/otp)
https://forum.yubico.com/viewtopic.php?f=5&t=627
Page 1 of 1

Author:  meepmeep [ Wed Jan 26, 2011 12:17 pm ]
Post subject:  SSH authentication with 3 step (login/passwd/otp)

Hi

I just get my yubikey, and I would like to know if it's possible to have a 3 step identification :
- login (not always a dependant step, because the ssh client could tacitly send the username)
- Password
- OTP

Currently, my yubikey is working great with yubico-pam on a debian stable, but, the OTP has to be concatenate with the password (I enter my username, press enter, enter my password, press the yubikey).

I'm using :
- Debian stable (5.0.8)
- OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010
- Ykclient 2.3
- pam-yubiko 2.5
- in /etc/pam.d/sshd :
Code:
auth required pam_yubico.so id=<myID> key=<myKey> debug authfile=/etc/yubikey_mappings
- In /etc/yubikey_mappings :
<myusername>:<Token ID>
- In /etc/pam.d/common-auth :
Code:
auth    [success=1 default=ignore]      pam_unix.so nullok_secure debug try_first_pass

- In /etc/ssh/sshd_config :
Code:
PasswordAuthentication yes
ChallengeResponseAuthentication no

I try to set
Code:
ChallengeResponseAuthentication yes


The ssh login ask my credential in 3 step .. but it's not working :
Code:
meepmeep@Marvin:~$ ssh dev.box
Yubikey for `meepmeep':
Password:
Read from remote host dev.box: Connection reset by peer
Connection to dev.box closed.


debug file :
Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: <YUBIKEY-TOKEN-ID>vcutccutjtggbgnjjcgjbjlncudivkvl
[pam_yubico.c:pam_sm_authenticate(558)] OTP: <YUBIKEY-TOKEN-ID>vcutccutjtggbgnjjcgjbjlncudivkvl ID: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:<YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/<YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: -1216685976


Finally, I try to put the line
Code:
auth required pam_yubico.so id=<myID> key=<myKey> debug authfile=/etc/yubikey_mappings

at the end of the /etc/pam.d/sshd (so the OTP is ask after my password), I get the same error on the client side (connection closed), and I get this debug file :

Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: <YUBIKEY-TOKEN-ID>flcrldfivfhbgdelulijvkcljudvgbll
[pam_yubico.c:pam_sm_authenticate(558)] OTP: <YUBIKEY-TOKEN-ID>flcrldfivfhbgdelulijvkcljudvgbll ID: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:<YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/<YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: 0


(the last "retval" is different, but I don't know what it means !)

I'm open to any idea :)

Author:  cornelinux [ Tue Feb 15, 2011 11:39 pm ]
Post subject:  Re: SSH authentication with 3 step (login/passwd/otp)

Hi meepmeep,

yes it is possible. I guess it would be possible in several differen ways. Well - I do not know the pam_yubico.so but you could do some pam stacking that first would do

pam_unix

to authenticate with the password and then do

pam_radius or pam_yubico

to authenticate with the OTP.
You can use the yubikey with many different backends. When you inititilize it with HOTP, there are even more backends aroud, which will work e.g. with pam_radius...

(Just a very top level answer...)

Kind regards
Cornelius

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/