Yubico Forum
https://forum.yubico.com/

PAM module not working on FreeBSD
https://forum.yubico.com/viewtopic.php?f=5&t=213
Page 1 of 1

Author:  wwager [ Thu Dec 18, 2008 3:27 pm ]
Post subject:  PAM module not working on FreeBSD

Hi there,

I'm trying to get pam_yubico-1.8 to work with FreeBSD 6.x, so far we are at the point where the module has compiled properly and we have it in /usr/lib/, when trying to use it with sshd or passwd it breaks with no actual error. All our servers are primarily FreeBSD 6.x and 7.x so its critical that we can get it working on this platform. Has anyone been able to get this to work on FreeBSD?

If anyone can assist I would appreciate it.

Cheers,

Will

Author:  network-marvels [ Fri Dec 19, 2008 5:10 pm ]
Post subject:  Re: PAM module not working on FreeBSD

We are looking into this and will update you soon.

Author:  network-marvels [ Mon Dec 22, 2008 4:55 pm ]
Post subject:  Re: PAM module not working on FreeBSD

We need to disable default "ChallengeResponseAuthentication" for ssh log ins in order to use pam_yubico module for two factor authentication.

Steps to disable "ChallengeResponseAuthentication":

Edit the sshd configuration file “/etc/ssh/sshd_config” with root privileges and do the following changes:

    a) Uncomment "PasswordAuthentication" and change “PasswordAuthentication no” to “PasswordAuthentication yes” on line 61 of “/etc/ssh/sshd_config”

    b) Uncomment "ChallengeResponseAuthentication" and change “ChallengeResponseAuthentication yes” to “ChallengeResponseAuthentication no” on line 65 of “/etc/ssh/sshd_config”

    c) Uncomment "UsePAM" and change “UsePAM no” to “UsePAM yes” on line 86 of “/etc/ssh/sshd_config”

We have tested the Yubico PAM configuration on following test environment:

    1) OS Version: FreeBSD 7.0-RELEASE
    2) OpenSSH Version: OpenSSH_4.5p1 FreeBSD-20061110,
    3) Yubico PAM Version: pam_yubico-1.8
    4) /etc/pam.d/sshd:

    Quote:
    #
    # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
    #
    # PAM configuration for the "sshd" service
    #

    # auth
    auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
    auth sufficient pam_opie.so no_warn no_fake_prompts
    auth requisite pam_opieaccess.so no_warn allow_local
    #auth sufficient pam_krb5.so no_warn try_first_pass
    #auth sufficient pam_ssh.so no_warn try_first_pass
    auth required pam_unix.so no_warn try_first_pass

    # account
    account required pam_nologin.so
    #account required pam_krb5.so
    account required pam_login_access.so
    account required pam_unix.so

    # session
    #session optional pam_ssh.so
    session required pam_permit.so

    # password
    #password sufficient pam_krb5.so no_warn try_first_pass
    password required pam_unix.so no_warn try_first_pass



    5) “/etc/ssh/sshd_config”:

    Quote:
    # $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $
    # $FreeBSD: src/crypto/openssh/sshd_config,v 1.47 2006/11/10 16:52:41 des Exp $

    # This is the sshd server system-wide configuration file. See
    # sshd_config(5) for more information.

    # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

    # The strategy used for options in the default sshd_config shipped with
    # OpenSSH is to specify options with their default value where
    # possible, but leave them commented. Uncommented options change a
    # default value.

    # Note that some of FreeBSD's defaults differ from OpenBSD's, and
    # FreeBSD has a few additional options.

    #VersionAddendum FreeBSD-20061110

    #Port 22
    #Protocol 2
    #AddressFamily any
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    # HostKey for protocol version 1
    #HostKey /etc/ssh/ssh_host_key
    # HostKeys for protocol version 2
    #HostKey /etc/ssh/ssh_host_dsa_key

    # Lifetime and size of ephemeral version 1 server key
    #KeyRegenerationInterval 1h
    #ServerKeyBits 768

    # Logging
    # obsoletes QuietMode and FascistLogging
    #SyslogFacility AUTH
    #LogLevel INFO

    # Authentication:

    #LoginGraceTime 2m
    #PermitRootLogin no
    #StrictModes yes
    #MaxAuthTries 6

    #RSAAuthentication yes
    #PubkeyAuthentication yes
    #AuthorizedKeysFile .ssh/authorized_keys

    # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
    #RhostsRSAAuthentication no
    # similar for protocol version 2
    #HostbasedAuthentication no
    # Change to yes if you don't trust ~/.ssh/known_hosts for
    # RhostsRSAAuthentication and HostbasedAuthentication
    #IgnoreUserKnownHosts no
    # Don't read the user's ~/.rhosts and ~/.shosts files
    #IgnoreRhosts yes

    # Change to yes to enable built-in password authentication.
    PasswordAuthentication yes
    #PermitEmptyPasswords no

    # Change to no to disable PAM authentication
    ChallengeResponseAuthentication no

    # Kerberos options
    #KerberosAuthentication no
    #KerberosOrLocalPasswd yes
    #KerberosTicketCleanup yes
    #KerberosGetAFSToken no

    # GSSAPI options
    #GSSAPIAuthentication no
    #GSSAPICleanupCredentials yes

    # Set this to 'no' to disable PAM authentication, account processing,
    # and session processing. If this is enabled, PAM authentication will
    # be allowed through the ChallengeResponseAuthentication and
    # PasswordAuthentication. Depending on your PAM configuration,
    # PAM authentication via ChallengeResponseAuthentication may bypass
    # the setting of "PermitRootLogin without-password".
    # If you just want the PAM account and session checks to run without
    # PAM authentication, then enable this but set PasswordAuthentication
    # and ChallengeResponseAuthentication to 'no'.
    UsePAM yes

    #AllowTcpForwarding yes
    #GatewayPorts no
    #X11Forwarding yes
    #X11DisplayOffset 10
    #X11UseLocalhost yes
    #PrintMotd yes
    #PrintLastLog yes
    #TCPKeepAlive yes
    #UseLogin no
    #UsePrivilegeSeparation yes
    #PermitUserEnvironment no
    #Compression delayed
    #ClientAliveInterval 0
    #ClientAliveCountMax 3
    #UseDNS yes
    #PidFile /var/run/sshd.pid
    #MaxStartups 10
    #PermitTunnel no

    # no default banner path
    #Banner /some/path

    # override default of no subsystems
    Subsystem sftp /usr/libexec/sftp-server

    # Example of overriding settings on a per-user basis
    #Match User anoncvs
    # X11Forwarding no
    # AllowTcpForwarding no
    # ForceCommand cvs server



Author:  InquisitiveDonut [ Wed Oct 02, 2013 1:37 am ]
Post subject:  Re: PAM module not working on FreeBSD

I've tried this on FreeBSD 9.0-RELEASE and have had no luck. Swapping "ChallengeResponse" to "yes", and "PasswordAuthentication" to "no" yields the following - (answers filled in by me)

login as: <my username>
Using keyboard-interactive authentication.
Yubikey for `<my username>`: <I touch my yubikey's button>
Access denied

After 3 attempts, OpenSSH shuts me down.

My /etc/pam.d/sshd is as follows:

Code:
auth            sufficient      pam_yubico.so           id=<my id> key=<my key> debug
auth            sufficient      pam_opie.so             no_warn no_fake_prompts try_first_pass
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            required        pam_unix.so             no_warn try_first_pass


My /etc/ssh/sshd_config is as follows:

Code:
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable PAM authentication
ChallengeResponseAuthentication yes

UsePAM yes


In addition, it appears that the debug flag does nothing - nothing shows up when telling syslog-ng to log everything to a single log file.

At this point, help would be appreciated.

EDIT to add: Further information. I'm not seeing any outbound traffic from my machine to authenticate.

Author:  frijsdijk [ Wed Dec 18, 2013 9:28 pm ]
Post subject:  Re: PAM module not working on FreeBSD

I also can't get it to work. We've bought 2 keys to try it, if it works all our admins ilke to use this.

Feel like I'm close, but yet so far away.

In trying this in FreeBSD 9.2-RELEASE:
Code:
# sshd -v
sshd: illegal option -- v
OpenSSH_6.2p2, OpenSSL 0.9.8y 5 Feb 2013


My sshd_config:
Code:
#       $OpenBSD: sshd_config,v 1.89 2013/02/06 00:20:42 dtucker Exp $
#       $FreeBSD: release/9.2.0/crypto/openssh/sshd_config 252339 2013-06-28 09:55:00Z des $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum FreeBSD-20130515

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server

# Disable HPN tuning improvements.
#HPNDisabled no

# Buffer size for HPN to non-HPN connections.
#HPNBufferSize 2048

# TCP receive socket buffer polling for HPN.  Disable on non autotuning kernels.
#TcpRcvBufPoll yes

# Allow the use of the NONE cipher.
#NoneEnabled no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server




Ive installed:
Code:
pam_yubico-2.14                PAM module for authenticating with a Yubico YubiKey
ykclient-2.9_1                 Yubico C client library
ykpers-1.12.0                  Library and tool for personalization of Yubico's YubiKey


In /etc/pam.d/sshd I've added (first line, below comments):
Code:
auth required /usr/local/lib/security/pam_yubico.so id=MYID key=MYKEY url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s debug


So, when I try to login from remote, this is what it looks like (running SSHD in debug mode on port 23):

[user@server ~]$ ssh -p 23 user@x.x.x.x
YubiKey for `user': <press yubikey>

- nothing happens -

The other side, sshd in debug (/usr/sbin/sshd -p 23 -ddd);
Code:
# /usr/sbin/sshd -p 23 -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 231
debug2: parse_server_config: config /etc/ssh/sshd_config len 231
debug3: /etc/ssh/sshd_config:50 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:71 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:124 setting Subsystem sftp /usr/libexec/sftp-server
debug1: HPN Buffer Size: 65536
debug1: sshd version OpenSSH_6.2p2_hpn13v11 FreeBSD-20130515, OpenSSL 0.9.8y 5 Feb 2013
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug3: Incorrect RSA1 identifier
debug1: read PEM private key done: type ECDSA
debug1: private host key: #2 type 3 ECDSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p'
debug1: rexec_argv[2]='23'
debug1: rexec_argv[3]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug3: ssh_sock_set_v6only: set socket 3 IPV6_V6ONLY
debug1: Bind to port 23 on ::.
debug1: Server TCP RWIN socket size: 65536
debug1: HPN Buffer Size: 65536
Server listening on :: port 23.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 23 on 0.0.0.0.
debug1: Server TCP RWIN socket size: 65536
debug1: HPN Buffer Size: 65536
Server listening on 0.0.0.0 port 23.


The we start the ssh session from remote:

Code:
debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 231
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
debug1: res_init()
Connection from x.x.x.xport 50388
debug1: HPN Disabled: 0, HPN Buffer Size: 65536
debug1: Client protocol version 2.0; client software version OpenSSH_5.1p1 FreeBSD-20080901
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH_5*
debug1: Remote is not HPN-aware
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2_hpn13v11 FreeBSD-20130515
debug2: fd 3 setting O_NONBLOCK
debug2: Network child is on pid 28065
debug3: preauth child monitor started
debug3: privsep user:group 22:22 [preauth]
debug1: permanently_set_uid: 22/22 [preauth]
debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth]
debug2: kex_parse_kexinit: ssh-dss,ssh-rsa [preauth]
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr [preauth]
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit:  [preauth]
debug2: kex_parse_kexinit: first_kex_follows 0  [preauth]
debug2: kex_parse_kexinit: reserved 0  [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: kex: client->server aes128-cbc hmac-md5 none [preauth]
debug2: mac_setup: found hmac-md5 [preauth]
debug1: kex: server->client aes128-cbc hmac-md5 none [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received [preauth]
debug3: mm_request_send entering: type 0 [preauth]
debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI [preauth]
debug3: mm_request_receive_expect entering: type 1 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 0
debug3: mm_answer_moduli: got parameters: 1024 1024 8192
debug3: mm_request_send entering: type 1
debug2: monitor_read: 0 used once, disabling now
debug3: mm_choose_dh: remaining 0 [preauth]
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent [preauth]
debug2: dh_gen_key: priv key bits set: 137/256 [preauth]
debug2: bits set: 496/1024 [preauth]
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT [preauth]
debug2: bits set: 507/1024 [preauth]
debug3: mm_key_sign entering [preauth]
debug3: mm_request_send entering: type 6 [preauth]
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth]
debug3: mm_request_receive_expect entering: type 7 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_sign
debug3: mm_answer_sign: signature 0x803019100(55)
debug3: mm_request_send entering: type 7
debug2: monitor_read: 6 used once, disabling now
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent [preauth]
debug2: kex_derive_keys [preauth]
debug2: set_newkeys: mode 1 [preauth]
debug1: SSH2_MSG_NEWKEYS sent [preauth]
debug1: expecting SSH2_MSG_NEWKEYS [preauth]
debug2: set_newkeys: mode 0 [preauth]
debug1: SSH2_MSG_NEWKEYS received [preauth]
debug1: KEX done [preauth]
debug3: Trying to reverse map address x.x.x.x. [preauth]
debug1: userauth-request for user user service ssh-connection method none [preauth]
debug1: attempt 0 failures 0 [preauth]
debug3: mm_getpwnamallow entering [preauth]
debug3: mm_request_send entering: type 8 [preauth]
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth]
debug3: mm_request_receive_expect entering: type 9 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 8
debug3: mm_answer_pwnamallow
debug3: Trying to reverse map address x.x.x.x.
debug2: parse_server_config: config reprocess config len 231
debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1
debug3: mm_request_send entering: type 9
debug2: monitor_read: 8 used once, disabling now
debug2: input_userauth_request: setting up authctxt for user [preauth]
debug3: mm_start_pam entering [preauth]
debug3: mm_request_send entering: type 100 [preauth]
debug3: mm_inform_authserv entering [preauth]
debug3: mm_request_send entering: type 4 [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 100
debug1: PAM: initializing for "user"
debug1: PAM: setting PAM_RHOST to "server.fqdn.nl"
debug2: monitor_read: 100 used once, disabling now
debug2: input_userauth_request: try method none [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
debug1: userauth-request for user user service ssh-connection method publickey [preauth]
debug1: attempt 1 failures 0 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 4
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 4 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x8030082e0
debug1: trying public key file /home/user/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug3: key_read: type mismatch
- snipped ssh-keys data -
debug2: key not found
debug1: trying public key file /home/user/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys2': Permission denied
Failed publickey for user from x.x.x.x port 50388 ssh2
debug3: mm_answer_keyallowed: key 0x8030082e0 is not allowed
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
debug1: userauth-request for user user service ssh-connection method publickey [preauth]
debug1: attempt 2 failures 1 [preauth]
debug2: input_userauth_request: try method publickey [preauth]
debug1: test whether pkalg/pkblob are acceptable [preauth]
debug3: mm_key_allowed entering [preauth]
debug3: mm_request_send entering: type 22 [preauth]
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth]
debug3: mm_request_receive_expect entering: type 23 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 22
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x8030082e0
debug1: trying public key file /home/user/.ssh/authorized_keys
debug1: fd 4 clearing O_NONBLOCK
debug2: key not found
debug1: trying public key file /home/user/.ssh/authorized_keys2
debug1: Could not open authorized keys '/home/user/.ssh/authorized_keys2': Permission denied
Failed publickey for USER from x.x.x.xport 50388 ssh2
debug3: mm_answer_keyallowed: key 0x8030082e0 is not allowed
debug3: mm_request_send entering: type 23
debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth]
debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth]
debug1: userauth-request for user USER service ssh-connection method keyboard-interactive [preauth]
debug1: attempt 3 failures 2 [preauth]
debug2: input_userauth_request: try method keyboard-interactive [preauth]
debug1: keyboard-interactive devs  [preauth]
debug1: auth2_challenge: user=USER devs= [preauth]
debug1: kbdint_alloc: devices 'pam' [preauth]
debug2: auth2_challenge_start: devices pam [preauth]
debug2: kbdint_next_device: devices <empty> [preauth]
debug1: auth2_challenge_start: trying authentication method 'pam' [preauth]
debug3: mm_sshpam_init_ctx [preauth]
debug3: mm_request_send entering: type 104 [preauth]
debug3: mm_sshpam_init_ctx: waiting for MONITOR_ANS_PAM_INIT_CTX [preauth]
debug3: mm_request_receive_expect entering: type 105 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 104
debug3: mm_answer_pam_init_ctx
debug3: PAM: sshpam_init_ctx entering
debug3: mm_request_send entering: type 105
debug3: mm_sshpam_query [preauth]
debug3: mm_request_send entering: type 106 [preauth]
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth]
debug3: mm_request_receive_expect entering: type 107 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 106
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering
debug3: PAM: sshpam_thread_conv entering, 1 messages
debug3: ssh_msg_send: type 1
debug3: ssh_msg_recv entering
debug3: mm_request_send entering: type 107
debug3: mm_sshpam_query: pam_query returned 0 [preauth]
Postponed keyboard-interactive for user from x.x.x.x port 50388 ssh2 [preauth]

Then, I press the yubikey, and we get:

Code:
debug3: mm_sshpam_respond [preauth]
debug3: mm_request_send entering: type 108 [preauth]
debug3: mm_sshpam_respond: waiting for MONITOR_ANS_PAM_RESPOND [preauth]
debug3: mm_request_receive_expect entering: type 109 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 108
debug3: mm_answer_pam_respond
debug2: PAM: sshpam_respond entering, 1 responses
debug3: ssh_msg_send: type 6
debug3: mm_request_send entering: type 109
debug3: mm_sshpam_respond: pam_respond returned 1 [preauth]
debug3: mm_sshpam_query [preauth]
debug3: mm_request_send entering: type 106 [preauth]
debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY [preauth]
debug3: mm_request_receive_expect entering: type 107 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_request_receive entering
debug3: monitor_read: checking request 106
debug3: mm_answer_pam_query
debug3: PAM: sshpam_query entering
debug3: ssh_msg_recv entering


That's it. Nothing Else.

I also see no outgoing connections (deny out firewall with logging).

I've been trying for hours, but nada. Tried the Google authenticator, worked right away. But.. I want to use Yubikey!

Can I get some help? Happy to provide any data!

Oh PS: I've created /var/run/pam-debug.log with write rights for everyone.. but no data appears.

Author:  frijsdijk [ Wed Dec 18, 2013 10:37 pm ]
Post subject:  Re: PAM module not working on FreeBSD

When configuring DEBUG logging from SSHD, I get in /var/log/debug

Up on making ssh connection:
Code:
Dec 18 22:34:53 null sshd[41987]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/local/lib/security/pam_yubico.so
Dec 18 22:34:53 null sshd[41987]: in pam_get_user(): entering
Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): entering: PAM_USER
Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:34:53 null sshd[41987]: in pam_get_user(): returning PAM_SUCCESS
Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): entering: PAM_CONV
Dec 18 22:34:53 null sshd[41987]: in pam_get_item(): returning PAM_SUCCESS


Client side:
Code:
[user@server ~]$ ssh -p 22 user@x.x.x.x
YubiKey for `user':  <presses key>


.. nothing!

When entering deliberate wrong OTP (that is, wrong size!)

Code:
Dec 18 22:36:43 null sshd[41992]: in pam_set_data(): entering: 'yubico_setcred_return'
Dec 18 22:36:43 null sshd[41992]: in pam_set_data(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in openpam_dispatch(): /usr/local/lib/security/pam_yubico.so: pam_sm_authenticate(): authentication error
Dec 18 22:36:43 null sshd[41992]: in openpam_dispatch(): calling pam_sm_authenticate() in pam_unix.so
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'auth_as_self'
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL
Dec 18 22:36:43 null sshd[41992]: in pam_get_user(): entering
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_USER
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in pam_get_user(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in pam_sm_authenticate(): Got user: frederique
Dec 18 22:36:43 null sshd[41992]: in pam_sm_authenticate(): Doing real authentication
Dec 18 22:36:43 null sshd[41992]: in pam_get_authtok(): entering
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_RHOST
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_HOST
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_OLDAUTHTOK
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'try_first_pass'
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning ''
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_AUTHTOK
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'use_first_pass'
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'authtok_prompt'
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_AUTHTOK_PROMPT
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in openpam_subst(): entering: 'Password for %u@%h:'
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_USER
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_HOST
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in openpam_subst(): returning PAM_SUCCESS
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): entering: 'echo_pass'
Dec 18 22:36:43 null sshd[41992]: in openpam_get_option(): returning NULL
Dec 18 22:36:43 null sshd[41992]: in pam_vprompt(): entering
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): entering: PAM_CONV
Dec 18 22:36:43 null sshd[41992]: in pam_get_item(): returning PAM_SUCCESS


So.. when entering something of the right size, nothing happens. When entering something of the wrong size, above logging appears.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/