Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:15 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Wed Jan 26, 2011 12:17 pm 
Offline

Joined: Tue Jan 25, 2011 10:44 am
Posts: 1
Hi

I just get my yubikey, and I would like to know if it's possible to have a 3 step identification :
- login (not always a dependant step, because the ssh client could tacitly send the username)
- Password
- OTP

Currently, my yubikey is working great with yubico-pam on a debian stable, but, the OTP has to be concatenate with the password (I enter my username, press enter, enter my password, press the yubikey).

I'm using :
- Debian stable (5.0.8)
- OpenSSH_5.5p1 Debian-6, OpenSSL 0.9.8o 01 Jun 2010
- Ykclient 2.3
- pam-yubiko 2.5
- in /etc/pam.d/sshd :
Code:
auth required pam_yubico.so id=<myID> key=<myKey> debug authfile=/etc/yubikey_mappings
- In /etc/yubikey_mappings :
<myusername>:<Token ID>
- In /etc/pam.d/common-auth :
Code:
auth    [success=1 default=ignore]      pam_unix.so nullok_secure debug try_first_pass

- In /etc/ssh/sshd_config :
Code:
PasswordAuthentication yes
ChallengeResponseAuthentication no

I try to set
Code:
ChallengeResponseAuthentication yes


The ssh login ask my credential in 3 step .. but it's not working :
Code:
meepmeep@Marvin:~$ ssh dev.box
Yubikey for `meepmeep':
Password:
Read from remote host dev.box: Connection reset by peer
Connection to dev.box closed.


debug file :
Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: <YUBIKEY-TOKEN-ID>vcutccutjtggbgnjjcgjbjlncudivkvl
[pam_yubico.c:pam_sm_authenticate(558)] OTP: <YUBIKEY-TOKEN-ID>vcutccutjtggbgnjjcgjbjlncudivkvl ID: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:<YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/<YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: -1216685976


Finally, I try to put the line
Code:
auth required pam_yubico.so id=<myID> key=<myKey> debug authfile=/etc/yubikey_mappings

at the end of the /etc/pam.d/sshd (so the OTP is ask after my password), I get the same error on the client side (connection closed), and I get this debug file :

Code:
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 1 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: meepmeep
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: <YUBIKEY-TOKEN-ID>flcrldfivfhbgdelulijvkcljudvgbll
[pam_yubico.c:pam_sm_authenticate(558)] OTP: <YUBIKEY-TOKEN-ID>flcrldfivfhbgdelulijvkcljudvgbll ID: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success
[pam_yubico.c:check_user_token(117)] Authorization line: meepmeep:<YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(121)] Matched user: meepmeep
[pam_yubico.c:check_user_token(125)] Authorization token: <YUBIKEY-TOKEN-ID>
[pam_yubico.c:check_user_token(128)] Match user/token as meepmeep/<YUBIKEY-TOKEN-ID>
[pam_yubico.c:pam_sm_authenticate(625)] done. [Success]
[pam_yubico.c:parse_cfg(404)] called.
[pam_yubico.c:parse_cfg(405)] flags 2 argc 4
[pam_yubico.c:parse_cfg(407)] argv[0]=id=<MyID>
[pam_yubico.c:parse_cfg(407)] argv[1]=key=<MyKey>
[pam_yubico.c:parse_cfg(407)] argv[2]=debug
[pam_yubico.c:parse_cfg(407)] argv[3]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(408)] id=<MyID>
[pam_yubico.c:parse_cfg(409)] key=<MyKey>
[pam_yubico.c:parse_cfg(410)] debug=1
[pam_yubico.c:parse_cfg(411)] alwaysok=0
[pam_yubico.c:parse_cfg(412)] verbose_otp=0
[pam_yubico.c:parse_cfg(413)] try_first_pass=0
[pam_yubico.c:parse_cfg(414)] use_first_pass=0
[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(416)] ldapserver=(null)
[pam_yubico.c:parse_cfg(417)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(418)] ldapdn=(null)
[pam_yubico.c:parse_cfg(419)] user_attr=(null)
[pam_yubico.c:parse_cfg(420)] yubi_attr=(null)
[pam_yubico.c:pam_sm_setcred(640)] called.
[pam_yubico.c:pam_sm_setcred(646)] retval: 0


(the last "retval" is different, but I don't know what it means !)

I'm open to any idea :)


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Feb 15, 2011 11:39 pm 
Offline

Joined: Mon Nov 22, 2010 4:02 pm
Posts: 14
Location: Germany
Hi meepmeep,

yes it is possible. I guess it would be possible in several differen ways. Well - I do not know the pam_yubico.so but you could do some pam stacking that first would do

pam_unix

to authenticate with the password and then do

pam_radius or pam_yubico

to authenticate with the OTP.
You can use the yubikey with many different backends. When you inititilize it with HOTP, there are even more backends aroud, which will work e.g. with pam_radius...

(Just a very top level answer...)

Kind regards
Cornelius


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group