Yubico Forum
https://forum.yubico.com/

Ubuntu MFA SSH login is not working
https://forum.yubico.com/viewtopic.php?f=23&t=2614		 Page 1 of 1
Author:  pradeepverizon [ Wed Mar 29, 2017 6:12 pm ]
Post subject:  Ubuntu MFA SSH login is not working
Hi,
We are configuring yubikey multi-factor authentication for SSH on Ubuntu Server. Our server version is
Quote:
Linux ubuntu-14 4.2.0-27-generic #32~14.04.1-Ubuntu SMP Fri Jan 22 15:32:26 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

We are using OpenSSH
Quote:
OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.6, OpenSSL 1.0.1f 6 Jan 2014

My issue is when i try to login in , i am able to login into my ubuntu box using yubikey.I am not able to see any usefull logs.

1./etc/ssh/sshd_conf
Code:
## This configuration file is generated using ansible. Please do not make any changes manually
## If you need to make any changes , please contact "Atlassian.Tools.Team@verizon.com"

Port 22
ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
ChallengeResponseAuthentication yes
Match User appuser1,appuser2
        AuthenticationMethods publickey
Match User supportuser1,supportuser2
        AuthenticationMethods publickey,keyboard-interactive
        PasswordAuthentication no

2. /etc/pam.d/sshd
Code:
# PAM configuration for the Secure Shell service

# Standard Un*x authentication.
#@include common-auth
auth sufficient pam_yubico.so id=65324 key=owZVX2FHJKD43432qYnkk00= debug authfile=/etc/yubikey_mappings mode=client
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close

# Set the loginuid process attribute.
session    required     pam_loginuid.so

# Create a new session keyring.
session    optional     pam_keyinit.so force revoke

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]
# Print the message of the day upon successful login.
# This includes a dynamically generated part from /run/motd.dynamic
# and a static (admin-editable) part from /etc/motd.
session    optional     pam_motd.so  motd=/run/motd.dynamic
session    optional     pam_motd.so noupdate

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
session    required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale

# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open

# Standard Un*x password updating.
@include common-password


3.
Code:
supportuser1:xxxxxxx
supportuser1:xxxxxxx
supportuser1:xxxxxxx
supportuser1:XXXXXXXX

The output when try to login to the server is
Code:
#ssh -vvv -i server_ssh supportuser1@192.168.1.10
Ubuntu 14.04.4 LTS
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: cardno:0007913443
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: server_ssh
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 151
debug2: input_userauth_pk_ok: fp SHA256:SyXJ6CI+QNIId+ewelZUznt/HAuqGyDqUp5QHQ438vM
debug3: sign_and_send_pubkey: RSA SHA256:SyXJ6CI+QNIId+ewelZUznt/HAuqGyDqUp5QHQ438vM
Authenticated with partial success.
debug2: key: cardno:000605483812 (0x7fcf086007e0),
debug2: key: server_ssh (0x0), explicit
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
YubiKey for `supportuser1':
debug1: Authentications that can continue: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1

And Debug Auth Logs Says
    Mar 29 13:07:55 ubuntu-14 sshd[3123]: error: PAM: Permission denied for supportuser1 from 10.10.3.6
    Mar 29 13:07:55 ubuntu-14 sshd[3123]: Postponed keyboard-interactive for supportuser1 from 10.10.3.6 port 60260 ssh2 [preauth]


Could you please help me to resolve this issue
Author:  pradeepverizon [ Wed Mar 29, 2017 9:56 pm ]
Post subject:  Re: Ubuntu MFA SSH login is not working
While trying to dig more into the logs, i got he error message from pam logs. here is the error i am getting


    [../pam_yubico.c:parse_cfg(782)] mode=client
    [../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
    [../pam_yubico.c:pam_sm_authenticate(823)] get user returned: pradeep.cg
    [../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes
    [../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
    [../pam_yubico.c:pam_sm_authenticate(954)] OTP: ccfdssaseltdfetbdtkulcefrnfuddbnvtftjjhkltegb ID: ccfdssaselt
    [../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (101): Could not parse server response
    [../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication service cannot retrieve authentication info]
    [../pam_yubico.c:parse_cfg(761)] called.
Author:  mattlegitt [ Thu Mar 30, 2017 2:24 am ]
Post subject:  Re: Ubuntu MFA SSH login is not working
Hello pradeepverizon,

Are you using an internal validation service? if not the OTP ID is not a factory Yubico OTP ID and will not work with our validation service. Please follow the linked page to upload your OTP ID to the validation server. if you need further assistance I recommend creating a support ticket. (https://www.yubico.com/support/raise-ticket/)

https://www.yubico.com/support/knowledg ... ion-guide/

Best Regards,
Matthew
Yubico Support
Author:  pradeepverizon [ Thu Mar 30, 2017 2:44 pm ]
Post subject:  Re: Ubuntu MFA SSH login is not working
Hi Matthew,

Basically we are evaluating Yubikey for out team. We servers spread across two subnet . I am pushing this configuration in servers in both subnet using configuration management tool.In one subnet it is working fine. But the servers in other subnet it is not.

Thanks,
Pradeep
Author:  pradeepverizon [ Thu Mar 30, 2017 8:47 pm ]
Post subject:  Re: Ubuntu MFA SSH login is not working
I am getting below error in auth.log

Mar 30 15:45:06 ubuntu-14 sshd[12715]: PAM unable to dlopen(pam_yubico.so): /usr/lib/x86_64-linux-gnu/libykclient.so.3: version `YKCLIENT_2.15' not found (required by /lib/security/pam_yubico.so)
Author:  mattlegitt [ Thu Mar 30, 2017 11:57 pm ]
Post subject:  Re: Ubuntu MFA SSH login is not working
Hello Pradeep,

Please go to the following linked page and test your OTP credential. if the test fails you'll need to re-program your YubiKey with the previous linked documentation and upload to YubiCloud.

https://demo.yubico.com/

Best Regards,
Matthew
Yubico Support
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/