Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:51 am

All times are UTC + 1 hour

Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Thu Nov 03, 2016 4:10 pm 

Joined: Thu Nov 03, 2016 3:52 pm
Posts: 3
I run Ubuntu 14.04. I've installed the KSM and VAL services and managed to get them to work with ykclient from the client.

I've also tested LDAP by using the YubiCloud service for one of my keys, in which the PAM module looked up the Yubikey ID for each user using the standard Yubikey LDAP schema from https://github.com/mludvig/yubikey-ldap. This authentication methid worked.

ykclient is perfectly capable of validating keys and KSM and VAL are working as intended.

However I can not make yubico_pam.so authenticate using the same parameters as I use for ykclient when I combine VAL verification and LDAP lookups. I am convinced the fault here is not in the LDAP end of things, but rather in (another) undocumented feature of the KSM/VAL chain.

I use this line in /etc/pam.d/sshd:

auth required pam_yubico.so id=1 key=<generated with ykgen-client> = urllist=http://<url verified with ykclient> ldap_uri=ldap://<ldap-server> ldapdn=<dn> user_attr=cn yubi_attr=yubiKeyId token_id_length=12 ldapcacertfile=/<working cafile> mode=client debug

The debug log outputs this for an attempted authentication:

[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 1 argc 11
[../pam_yubico.c:parse_cfg(764)] argv[0]=id=1
[../pam_yubico.c:parse_cfg(764)] argv[1]=key=<keystring>
[../pam_yubico.c:parse_cfg(764)] argv[2]=urllist=<VAL server>
[../pam_yubico.c:parse_cfg(764)] argv[3]=ldap_uri=<ldapuri>
[../pam_yubico.c:parse_cfg(764)] argv[4]=ldapdn=<mydn>
[../pam_yubico.c:parse_cfg(764)] argv[5]=user_attr=cn
[../pam_yubico.c:parse_cfg(764)] argv[6]=yubi_attr=yubiKeyId
[../pam_yubico.c:parse_cfg(764)] argv[7]=token_id_length=12
[../pam_yubico.c:parse_cfg(764)] argv[8]=ldapcacertfile=<ldap-cafile>
[../pam_yubico.c:parse_cfg(764)] argv[9]=mode=client
[../pam_yubico.c:parse_cfg(764)] argv[10]=debug
[../pam_yubico.c:parse_cfg(765)] id=1
[../pam_yubico.c:parse_cfg(766)] key=<keystring>
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=0
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=(null)
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=ldap://<ldap-server>
[../pam_yubico.c:parse_cfg(775)] ldapdn=<dn>
[../pam_yubico.c:parse_cfg(776)] user_attr=cn
[../pam_yubico.c:parse_cfg(777)] yubi_attr=yubiKeyId
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=client
[../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: oyla
[../pam_yubico.c:pam_sm_authenticate(929)] conv returned 56 bytes
[../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 12 bytes. Length is 56, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(954)] OTP: <full key> ID: <public part>
[../pam_yubico.c:pam_sm_authenticate(969)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (107): Server response signature was invalid (BAD_SERVER_SIGNATURE)
[../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication service cannot retrieve authentication info]

I find it rather odd that ykclient works while the PAM module does not. The values are all the same. I tried the Ubuntu-supplied PAM module from APT as well as building my own from Git, with no luck. Any idea where to start? I didn't even know there was a server key to begin with, but then again, this wouldn't be my first time being surprised at something missing from the Yubico docs.

Thanks for any input.

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Nov 03, 2016 5:32 pm 

Joined: Thu Nov 03, 2016 3:52 pm
Posts: 3
Digging further, I only now notice (I blame a full brain) that only ykclient runs show up in the ykval server access logs - the PAM module does not even contact the validation server at all. Tcpdump comparing ykclient vs. PAM module runs further confirm this.

I am at this point somewhat less than favourably impressed at the logging facilities of the PAM module.

Reply with quote  
PostPosted: Fri Nov 04, 2016 1:03 pm 

Joined: Thu Nov 03, 2016 3:52 pm
Posts: 3
Scratching the test client and starting from zero again fixed it nicely. Probably some residual state somewhere from hours of experimenting.

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group