Yubico Forum
https://forum.yubico.com/

PAM config for sshd in RHEL 7 / CentOS 7
https://forum.yubico.com/viewtopic.php?f=16&t=1447
Page 1 of 1

Author:  minimax [ Wed Aug 20, 2014 10:08 am ]
Post subject:  PAM config for sshd in RHEL 7 / CentOS 7

I can't get Yubikey to work with SSH on RHEL 7 / CentOS 7. I always get the error
Code:
debug1: PAM: initializing for "root"
PAM unable to resolve symbol: pam_sm_authenticate
PAM unable to resolve symbol: pam_sm_setcred
debug1: PAM: setting PAM_RHOST to "192.168.122.1"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth-request for user root service ssh-connection method password [preauth]
debug1: attempt 1 failures 0 [preauth]
password check failed for user (root)
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.122.1  user$
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
debug1: PAM: password authentication failed for root: Module is unknown

This is what I did to install Yubikey on RHEL 7 / CentOS 7:
Code:
rpm -Uvh http://download.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm
yum -y install libyubikey

In /etc/pam.d/sshd:
Code:
#%PAM-1.0
auth required /usr/lib64/libyubikey.so id=16 authfile=/etc/yubikey_mappings
...the rest of the file

In /etc/yubikey_mappings:
Code:
root:cccc....

Code:
systemctl restart sshd.service

But no luck. On RHEL 6 and CentOS 6, everything is working fine.

Author:  mystic1 [ Tue Sep 23, 2014 10:11 pm ]
Post subject:  Re: PAM config for sshd in RHEL 7 / CentOS 7

I got a little further than you did.

I did the same bits with yum, but placed my "auth sufficient libyubikey.so id=16 authfile=/etc/yubikey_mappings" (note the change from "required" to "sufficient" line in /etc/pam.d/password-auth

I then realized that CentOS 7 was looking in /usr/lib64/security for the PAM *.so files, so I went there and linked to the Yubikey library:
Code:
ln -s /usr/lib64/libyubikey.so.0 /usr/lib64/security/libyubikey.so

This yielded an error in /var/log/secure every time I tried to SSH in to my host:
Code:
Sep 23 16:03:46 netservices3 sshd[3961]: PAM unable to resolve symbol: pam_sm_authenticate
Sep 23 16:03:46 netservices3 sshd[3961]: PAM unable to resolve symbol: pam_sm_setcred

Author:  minimax [ Thu Sep 25, 2014 10:35 am ]
Post subject:  Re: PAM config for sshd in RHEL 7 / CentOS 7

Ok, I tried the same - there is no need to set a symbolic link if you provide the correct filename directly in /etc/pam.d/sshd:

Code:
auth sufficient /usr/lib64/libyubikey.so.0 id=16 authfile=/etc/yubikey_mappings


Despite of that I get the same results:

Code:
PAM unable to resolve symbol: pam_sm_authenticate
PAM unable to resolve symbol: pam_sm_setcred


:(

Author:  minimax [ Thu Sep 25, 2014 11:48 am ]
Post subject:  Re: PAM config for sshd in RHEL 7 / CentOS 7

If you compile

* ykclient-2.13
* libyubikey-1.12
* ykpers-1.15.3

and

* yubico-pam from Github

then you will get the pam_yubico.so. But activating now results in
Code:
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"

This seems due to /etc/pam.d/password-auth:
Code:
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success


But whatever you change here, I can't login using YubiKey.

Author:  minimax [ Mon Oct 20, 2014 10:01 am ]
Post subject:  Re: PAM config for sshd in RHEL 7 / CentOS 7

@Yubico: is there a solution? Can someone guide me with some hints on this issue?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/