Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:29 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Mon Jul 29, 2013 7:36 am 
Offline

Joined: Mon Jul 29, 2013 7:29 am
Posts: 6
Hello,

I use my yubikey to login into my Kali (Debian) 64 bit machine in challange-response hmac-sha1 mode. This generally works very well, however sometimes it doesn't work. But if I try again, it does work.

What I see:

(logged in using Gnome with yubikey without any problems. Start up terminal session...)

Code:
artien@artien-laptop:~$ sudo su -
[sudo] password for artien:
[util.c:get_user_challenge_file(217)] Failed to read serial number (serial-api-visible disabled?).
[pam_yubico.c:do_challenge_response(655)] Yubikey core error: timeout
[pam_yubico.c:do_challenge_response(664)] Challenge response failed: No such file or directory
Sorry, try again.
[sudo] password for artien:
[pam_yubico.c:do_challenge_response(478)] Failed initializing YubiKey
[pam_yubico.c:do_challenge_response(652)] USB error: Access denied (insufficient permissions)
[pam_yubico.c:do_challenge_response(664)] Challenge response failed: No such file or directory
Sorry, try again.
[sudo] password for artien:
[pam_yubico.c:do_challenge_response(478)] Failed initializing YubiKey
[pam_yubico.c:do_challenge_response(652)] USB error: Access denied (insufficient permissions)
[pam_yubico.c:do_challenge_response(664)] Challenge response failed: No such file or directory
Sorry, try again.
sudo: 3 incorrect password attempts
artien@artien-laptop:~$ sudo su -
[sudo] password for artien:
root@artien-laptop:~#


Yubikey config: challange-response HMAC-SHA1 mode, variable input.

/etc/pam.d/common-auth:
Code:
              auth required  pam_unix.so nullok_secure try_first_pass
              auth [success=1 new_authtok_reqd=ok ignore=ignore default=die]   pam_yubico.so mode=challenge-response


Does anyone have a clue as to why it would fail only sometimes, and then work right away after that?


Last edited by SphaZ on Thu Aug 01, 2013 7:12 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Jul 29, 2013 8:26 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Mmm...could be a timing issue? Did you tried swapping USB port?
When you plug in your Yubikey wait 5-10 seconds before typing the password.

which firmware / yubikey version ?

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Mon Jul 29, 2013 8:38 am 
Offline

Joined: Mon Jul 29, 2013 7:29 am
Posts: 6
Between logging into my desktop and Gnome I don't remove the yubikey...I will try another USB port and waiting a few seconds longer in between.

Firmware version 2.3.3 and I have the basic YUBIKEY USB TOKEN BLACK.

I will let you know..


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 01, 2013 7:12 am 
Offline

Joined: Mon Jul 29, 2013 7:29 am
Posts: 6
I've tried two other USB ports and finally found one that always seems to work. I'm using a Dell Latitude E6530 and it seems that the USB ports on the left and right side both have the same issues, but the USB port on the left-back side works fine all the time.

Very odd but seems a hardware issue, not a software issue so thank you.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 01, 2013 7:23 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Please can you check the USB bus?

Would be nice to know if broken ports are USB 3.0 and if you can report the USB buss manufacturer

Thank you.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 20, 2013 3:17 pm 
Offline

Joined: Mon Jul 29, 2013 7:29 am
Posts: 6
Further testing showed that it had to do with a monitor-build-in USB hub causing issues. Removing the USB hub or putting that on the other backside-port fixes all issues.

Note: the screen is also a Dell.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 21, 2013 9:22 am 
Offline

Joined: Mon Jul 29, 2013 7:29 am
Posts: 6
Hmm, spoke too soon. Despite appearing to work it looks even more complex.

There are 3 USB ports on the Lattitude E6530.

Left, right and left-backside.

Left-backside always works.
Left side works when there is no hub connected, but it throws timeout errors (but still works oddly enough.)
Right side still sometimes does, sometimes doesn't work.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 04, 2013 6:49 pm 
Offline

Joined: Wed Sep 04, 2013 6:46 pm
Posts: 4
Same issue here on Samsung 530U3C... This happens very seldom, but it is very annoying. Still trying to track this down.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 04, 2013 6:52 pm 
Offline

Joined: Wed Sep 04, 2013 6:46 pm
Posts: 4
This is the debug output:

Code:
[pam_yubico.c:parse_cfg(738)] called.
[pam_yubico.c:parse_cfg(739)] flags 0 argc 2
[pam_yubico.c:parse_cfg(741)] argv[0]=mode=challenge-response
[pam_yubico.c:parse_cfg(741)] argv[1]=debug
[pam_yubico.c:parse_cfg(742)] id=-1
[pam_yubico.c:parse_cfg(743)] key=(null)
[pam_yubico.c:parse_cfg(744)] debug=1
[pam_yubico.c:parse_cfg(745)] alwaysok=0
[pam_yubico.c:parse_cfg(746)] verbose_otp=0
[pam_yubico.c:parse_cfg(747)] try_first_pass=0
[pam_yubico.c:parse_cfg(748)] use_first_pass=0
[pam_yubico.c:parse_cfg(749)] authfile=(null)
[pam_yubico.c:parse_cfg(750)] ldapserver=(null)
[pam_yubico.c:parse_cfg(751)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(752)] ldapdn=(null)
[pam_yubico.c:parse_cfg(753)] user_attr=(null)
[pam_yubico.c:parse_cfg(754)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(755)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(756)] url=(null)
[pam_yubico.c:parse_cfg(757)] capath=(null)
[pam_yubico.c:parse_cfg(758)] token_id_length=12
[pam_yubico.c:parse_cfg(759)] mode=chresp
[pam_yubico.c:parse_cfg(760)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(799)] get user returned: root
[util.c:get_user_challenge_file(218)] Failed to read serial number (serial-api-visible disabled?).
[pam_yubico.c:do_challenge_response(495)] Loading challenge from file /root/.yubico/challenge
[pam_yubico.c:do_challenge_response(511)] Cannot open file: /root/.yubico/challenge (No such file or directory)
[pam_yubico.c:do_challenge_response(657)] Yubikey core error: timeout
[pam_yubico.c:do_challenge_response(666)] Challenge response failed: No such file or directory


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 04, 2013 10:14 pm 
Offline

Joined: Wed Sep 04, 2013 6:46 pm
Posts: 4
Ok, took a deeper look:

pam_yubico.so (or whatever, wrote some helper code) calls yk_get_serial(), that calls yk_read_response_from_key(), which then calls yk_wait_for_key_status(). That is where the loop is run until the timeout occures.

Any idea what goes wrong there?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group