| Yubico Forum https://forum.yubico.com/ |
|
| PAM module not working on FreeBSD https://forum.yubico.com/viewtopic.php?f=5&t=213 |
Page 1 of 1 |
| Author: | wwager [ Thu Dec 18, 2008 3:27 pm ] |
| Post subject: | PAM module not working on FreeBSD |
Hi there, I'm trying to get pam_yubico-1.8 to work with FreeBSD 6.x, so far we are at the point where the module has compiled properly and we have it in /usr/lib/, when trying to use it with sshd or passwd it breaks with no actual error. All our servers are primarily FreeBSD 6.x and 7.x so its critical that we can get it working on this platform. Has anyone been able to get this to work on FreeBSD? If anyone can assist I would appreciate it. Cheers, Will |
|
| Author: | network-marvels [ Fri Dec 19, 2008 5:10 pm ] |
| Post subject: | Re: PAM module not working on FreeBSD |
We are looking into this and will update you soon. |
|
| Author: | network-marvels [ Mon Dec 22, 2008 4:55 pm ] |
| Post subject: | Re: PAM module not working on FreeBSD |
We need to disable default "ChallengeResponseAuthentication" for ssh log ins in order to use pam_yubico module for two factor authentication. Steps to disable "ChallengeResponseAuthentication": Edit the sshd configuration file “/etc/ssh/sshd_config” with root privileges and do the following changes: a) Uncomment "PasswordAuthentication" and change “PasswordAuthentication no” to “PasswordAuthentication yes” on line 61 of “/etc/ssh/sshd_config” b) Uncomment "ChallengeResponseAuthentication" and change “ChallengeResponseAuthentication yes” to “ChallengeResponseAuthentication no” on line 65 of “/etc/ssh/sshd_config” c) Uncomment "UsePAM" and change “UsePAM no” to “UsePAM yes” on line 86 of “/etc/ssh/sshd_config” We have tested the Yubico PAM configuration on following test environment:
2) OpenSSH Version: OpenSSH_4.5p1 FreeBSD-20061110, 3) Yubico PAM Version: pam_yubico-1.8 4) /etc/pam.d/sshd: Quote: # # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "sshd" service # # auth auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password #password sufficient pam_krb5.so no_warn try_first_pass password required pam_unix.so no_warn try_first_pass 5) “/etc/ssh/sshd_config”: Quote: # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $ # $FreeBSD: src/crypto/openssh/sshd_config,v 1.47 2006/11/10 16:52:41 des Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #VersionAddendum FreeBSD-20061110 #Port 22 #Protocol 2 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable PAM authentication ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10 #PermitTunnel no # no default banner path #Banner /some/path # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server |
|
| Author: | InquisitiveDonut [ Wed Oct 02, 2013 1:37 am ] |
| Post subject: | Re: PAM module not working on FreeBSD |
I've tried this on FreeBSD 9.0-RELEASE and have had no luck. Swapping "ChallengeResponse" to "yes", and "PasswordAuthentication" to "no" yields the following - (answers filled in by me) login as: <my username> Using keyboard-interactive authentication. Yubikey for `<my username>`: <I touch my yubikey's button> Access denied After 3 attempts, OpenSSH shuts me down. My /etc/pam.d/sshd is as follows: Code: auth sufficient pam_yubico.so id=<my id> key=<my key> debug auth sufficient pam_opie.so no_warn no_fake_prompts try_first_pass auth requisite pam_opieaccess.so no_warn allow_local auth required pam_unix.so no_warn try_first_pass My /etc/ssh/sshd_config is as follows: Code: PasswordAuthentication no PermitEmptyPasswords no # Change to no to disable PAM authentication ChallengeResponseAuthentication yes UsePAM yes In addition, it appears that the debug flag does nothing - nothing shows up when telling syslog-ng to log everything to a single log file. At this point, help would be appreciated. EDIT to add: Further information. I'm not seeing any outbound traffic from my machine to authenticate. |
|
| Author: | frijsdijk [ Wed Dec 18, 2013 9:28 pm ] |
| Post subject: | Re: PAM module not working on FreeBSD |
I also can't get it to work. We've bought 2 keys to try it, if it works all our admins ilke to use this. Feel like I'm close, but yet so far away. In trying this in FreeBSD 9.2-RELEASE: Code: # sshd -v sshd: illegal option -- v OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013 My sshd_config: Code: # $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $ # $FreeBSD: release/9.2.0/crypto/openssh/sshd_config 252339 2013-06-28 09:55:00Z des $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # Note that some of FreeBSD's defaults differ from OpenBSD's, and # FreeBSD has a few additional options. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # Change to yes to enable built-in password authentication. PasswordAuthentication no #PermitEmptyPasswords no # Change to no to disable PAM authentication #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'no' to disable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #UsePrivilegeSeparation yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum FreeBSD-20130515 # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Disable HPN tuning improvements. #HPNDisabled no # Buffer size for HPN to non-HPN connections. #HPNBufferSize 2048 # TCP receive socket buffer polling for HPN. Disable on non autotuning kernels. #TcpRcvBufPoll yes # Allow the use of the NONE cipher. #NoneEnabled no # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server Ive installed: Code: pam_yubico-2.14 PAM module for authenticating with a Yubico YubiKey ykclient-2.9_1 Yubico C client library ykpers-1.12.0 Library and tool for personalization of Yubico's YubiKey In /etc/pam.d/sshd I've added (first line, below comments): Code: auth required /usr/local/lib/security/pam_yubico.so id=MYID key=MYKEY url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s debug So, when I try to login from remote, this is what it looks like (running SSHD in debug mode on port 23): [user@server ~]$ ssh -p 23 user@x.x.x.x YubiKey for `user': <press yubikey> - nothing happens - The other side, sshd in debug (/usr/sbin/sshd -p 23 -ddd); Code: # /usr/sbin/sshd -p 23 -ddd debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 231 debug2: parse_server_config: config /etc/ssh/sshd_config len 231 debug3: /etc/ssh/sshd_config:50 setting PubkeyAuthentication yes debug3: /etc/ssh/sshd_config:71 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:124 setting Subsystem sftp /usr/libexec/sftp-server debug1: HPN Buffer Size: 65536 debug1: sshd version OpenSSH_6.2p2_hpn13v11 FreeBSD-20130515, OpenSSL 0.9.8y 5 Feb 2013 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p' debug1: rexec_argv[2]='23' debug1: rexec_argv[3]='-ddd' debug2: fd 3 setting O_NONBLOCK debug3: ssh_sock_set_v6only: set socket 3 IPV6_V6ONLY debug1: Bind to port 23 on ::. debug1: Server TCP RWIN socket size: 65536 debug1: HPN Buffer Size: 65536 Server listening on :: port 23. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 23 on 0.0.0.0. debug1: Server TCP RWIN socket size: 65536 debug1: HPN Buffer Size: 65536 Server listening on 0.0.0.0 port 23. The we start the ssh session from remote: Code: debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 231 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 debug1: res_init() Connection from x.x.x.xport 50388 debug1: HPN Disabled: 0, HPN Buffer Size: 65536 debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 FreeBSD-20080901 debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH_5* debug1: Remote is not HPN-aware debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515 debug2: fd 3 setting O_NONBLOCK debug2: Network child is on pid 28065 debug3: preauth child monitor started debug3: privsep user:group 22:22 [preauth] debug1: permanently_set_uid: 22/22 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth] debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: kex_parse_kexinit: ssh-dss,ssh-rsa [preauth] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr [preauth] debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr [preauth] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug2: mac_setup: found hmac-md5 [preauth] debug1: kex: client->server aes128-cbc hmac-md5 none [preauth] debug2: mac_setup: found hmac-md5 [preauth] debug1: kex: server->client aes128-cbc hmac-md5 none [preauth] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth] debug3: mm_request_send entering: type 0 [preauth] debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI [preauth] debug3: mm_request_receive_expect entering: type 1 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 1024 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_choose_dh: remaining 0 [preauth] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth] debug2: dh_gen_key: priv key bits set: 137/256 [preauth] debug2: bits set: 496/1024 [preauth] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth] debug2: bits set: 507/1024 [preauth] debug3: mm_key_sign entering [preauth] debug3: mm_request_send entering: type 6 [preauth] debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect entering: type 7 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x803019100(55) debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth] debug2: kex_derive_keys [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug3: Trying to reverse map address x.x.x.x. [preauth] debug1: userauth-request for user user service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: mm_getpwnamallow entering [preauth] debug3: mm_request_send entering: type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect entering: type 9 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow debug3: Trying to reverse map address x.x.x.x. debug2: parse_server_config: config reprocess config len 231 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for user [preauth] debug3: mm_start_pam entering [preauth] debug3: mm_request_send entering: type 100 [preauth] debug3: mm_inform_authserv entering [preauth] debug3: mm_request_send entering: type 4 [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 100 debug1: PAM: initializing for "user" debug1: PAM: setting PAM_RHOST to "server.fqdn.nl" debug2: monitor_read: 100 used once, disabling now debug2: input_userauth_request: try method none [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth] debug1: userauth-request for user user service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x8030082e0 debug1: trying public key file /home/user/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug3: key_read: type mismatch - snipped ssh-keys data - debug2: key not found debug1: trying public key file /home/user/.ssh/authorized_keys2 debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys2': Permission denied Failed publickey for user from x.x.x.x port 50388 ssh2 debug3: mm_answer_keyallowed: key 0x8030082e0 is not allowed debug3: mm_request_send entering: type 23 debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth] debug1: userauth-request for user user service ssh-connection method publickey [preauth] debug1: attempt 2 failures 1 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x8030082e0 debug1: trying public key file /home/user/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug2: key not found debug1: trying public key file /home/user/.ssh/authorized_keys2 debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys2': Permission denied Failed publickey for USER from x.x.x.xport 50388 ssh2 debug3: mm_answer_keyallowed: key 0x8030082e0 is not allowed debug3: mm_request_send entering: type 23 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth] debug1: userauth-request for user USER service ssh-connection method keyboard-interactive [preauth] debug1: attempt 3 failures 2 [preauth] debug2: input_userauth_request: try method keyboard-interactive [preauth] debug1: keyboard-interactive devs [preauth] debug1: auth2_challenge: user=USER devs= [preauth] debug1: kbdint_alloc: devices 'pam' [preauth] debug2: auth2_challenge_start: devices pam [preauth] debug2: kbdint_next_device: devices <empty> [preauth] debug1: auth2_challenge_start: trying authentication method 'pam' [preauth] debug3: mm_sshpam_init_ctx [preauth] debug3: mm_request_send entering: type 104 [preauth] debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth] debug3: mm_request_receive_expect entering: type 105 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 104 debug3: mm_answer_pam_init_ctx debug3: PAM: sshpam_init_ctx entering debug3: mm_request_send entering: type 105 debug3: mm_sshpam_query [preauth] debug3: mm_request_send entering: type 106 [preauth] debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] debug3: mm_request_receive_expect entering: type 107 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 106 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering debug3: PAM: sshpam_thread_conv entering, 1 messages debug3: ssh_msg_send: type 1 debug3: ssh_msg_recv entering debug3: mm_request_send entering: type 107 debug3: mm_sshpam_query: pam_query returned 0 [preauth] Postponed keyboard-interactive for user from x.x.x.x port 50388 ssh2 [preauth] Then, I press the yubikey, and we get: Code: debug3: mm_sshpam_respond [preauth] debug3: mm_request_send entering: type 108 [preauth] debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND [preauth] debug3: mm_request_receive_expect entering: type 109 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 108 debug3: mm_answer_pam_respond debug2: PAM: sshpam_respond entering, 1 responses debug3: ssh_msg_send: type 6 debug3: mm_request_send entering: type 109 debug3: mm_sshpam_respond: pam_respond returned 1 [preauth] debug3: mm_sshpam_query [preauth] debug3: mm_request_send entering: type 106 [preauth] debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth] debug3: mm_request_receive_expect entering: type 107 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 106 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering That's it. Nothing Else. I also see no outgoing connections (deny out firewall with logging). I've been trying for hours, but nada. Tried the Google authenticator, worked right away. But.. I want to use Yubikey! Can I get some help? Happy to provide any data! Oh PS: I've created /var/run/pam-debug.log with write rights for everyone.. but no data appears. |
|
| Author: | frijsdijk [ Wed Dec 18, 2013 10:37 pm ] |
| Post subject: | Re: PAM module not working on FreeBSD |
When configuring DEBUG logging from SSHD, I get in /var/log/debug Up on making ssh connection: Code: Dec 18 22:34:53 null sshd[41987]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/local/lib/security/pam_yubico.so Dec 18 22:34:53 null sshd[41987]: in pam_get_user(): entering Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): entering: PAM_USER Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:34:53 null sshd[41987]: in pam_get_user(): returning PAM_SUCCESS Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): entering: PAM_CONV Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): returning PAM_SUCCESS Client side: Code: [user@server ~]$ ssh -p 22 user@x.x.x.x YubiKey for `user': <presses key> .. nothing! When entering deliberate wrong OTP (that is, wrong size!) Code: Dec 18 22:36:43 null sshd[41992]: in pam_set_data(): entering: 'yubico_setcred_return' Dec 18 22:36:43 null sshd[41992]: in pam_set_data(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in openpam_dispatch(): /usr/local/lib/security/pam_yubico.so: pam_sm_authenticate(): authentication error Dec 18 22:36:43 null sshd[41992]: in openpam_dispatch(): calling pam_sm_authenticate() in pam_unix.so Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'auth_as_self' Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL Dec 18 22:36:43 null sshd[41992]: in pam_get_user(): entering Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_USER Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in pam_get_user(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in pam_sm_authenticate(): Got user: frederique Dec 18 22:36:43 null sshd[41992]: in pam_sm_authenticate(): Doing real authentication Dec 18 22:36:43 null sshd[41992]: in pam_get_authtok(): entering Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_RHOST Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_HOST Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_OLDAUTHTOK Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'try_first_pass' Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning '' Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_AUTHTOK Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'use_first_pass' Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'authtok_prompt' Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_AUTHTOK_PROMPT Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in openpam_subst(): entering: 'Password for %u@%h:' Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_USER Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_HOST Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in openpam_subst(): returning PAM_SUCCESS Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'echo_pass' Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL Dec 18 22:36:43 null sshd[41992]: in pam_vprompt(): entering Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_CONV Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS So.. when entering something of the right size, nothing happens. When entering something of the wrong size, above logging appears. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|