Yubico Forum

Problems with PAM, 2FA, SSH, FreeBSD 8.2
Page 1 of 1

Author:  tore [ Wed Nov 09, 2011 9:35 pm ]
Post subject:  Problems with PAM, 2FA, SSH, FreeBSD 8.2

Hi folks,

Have some issues with getting PAM to work with SSH and 2FA.

UsePam yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

auth requisite pam_yubico.so id=X debug authfile=/etc/yubikey_mappings key=X
auth required pam_unix.so debug use_first_pass

Nov 9 20:29:17 sshd[94332]: fatal: PAM: pam_setcred(): failed to retrieve user credentials

I get this error when I do a SSH to the box:

tore:~ tore$ ssh -l root
Yubikey for `root': /etc/passwd password + OTP
Connection to closed by remote host.
Connection to closed.

If I only provide my OTP i get this error:
Nov 9 20:31:05 sshd[94342]: error: PAM: authentication error for root from
tore:~ tore$ ssh -l root
Yubikey for `root':
Yubikey for `root':
Yubikey for `root':
root@'s password:
Permission denied, please try again.
root@'s password:
Received disconnect from 2: Too many authentication failures for root

I checked out the latest source code two days ago, regarding yubico-c-client and yubico-pam.

What am I missing?


Author:  tore [ Thu Nov 10, 2011 6:47 pm ]
Post subject:  Re: Problems with PAM, 2FA, SSH, FreeBSD 8.2

Of course, I found the error:

When using PAM with SSH, the manual for sshd_config states that ChallengeResponseAuthentication and PasswordAuthentication should not have the same value.

ChallengeResponseAuthentication no
PasswordAuthentication yes
UsePam yes

Now it works with username, unix_password + OTP.

As far as I can understand, you cannot use the yubico PAM to do this:

tore:~ tore$ ssh -l root
Yubikey for `root':
pam_unix: pam_sm_authenticate: UNIX authentication refused


Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group