| Yubico Forum https://forum.yubico.com/ |
|
| [S!] Challenge-response success, still can't log in (Linux) https://forum.yubico.com/viewtopic.php?f=23&t=1969 |
Page 1 of 1 |
| Author: | MarkC [ Mon Jul 20, 2015 5:40 pm ] |
| Post subject: | [S!] Challenge-response success, still can't log in (Linux) |
Using libpam-yubico from the PPA, I've been able to set up my Linux Mint 17 box to require Yubico OTP authentication when logging into the local console. That all works perfectly. I can't get it to work in challenge-response mode, though. I've commented out the Yubico OTP line in /etc/pam.d/login and put the following in immediately after it: Code: auth required pam_yubico.so mode=challenge-response debug I've configured slot 2 to HMAC-SHA1, both via the GUi and command line config tools - in the latter case by a copy and paste of the instructions on GitHub, to avoid any misconfiguration. I've used the ykpamcfg tool to generate an initial per-user challenge in ~/.yubico. I've also created a log file. As far as I can tell, the setup is as it should be. When I switch to the console and try to log in, I receive a "login incorrect" message. I'm 100% certain that the username and password is correct, and checking the log file it all appears to be okay, ending with this: Code: [pam_yubico.c:do_challenge_response(541)] Got the expected response, generating new challenge (63 bytes). [pam_yubico.c:do_challenge_response(621)] Challenge-response success! The challenge file has also been updated with a new challenge, as expected. Does anyone have any thoughts or ideas about this? Is there a way to get additional logging out, so that I can confirm that the PAM module is returning a success code? Any help would be greatly appreciated. Edit: I forgot to mention, I'm NOT using an encrypted partition or filesystem of any sort. |
|
| Author: | MarkC [ Mon Jul 20, 2015 10:56 pm ] |
| Post subject: | Re: Challenge-response success, but still can't log in (Linu |
SOLVED. tl;dr: Stupid user error. Examining /var/log/auth.log gave me the clue I needed to find that the # in front of a comment in the PAM configuration file had got lost when copying and pasting. This resulted in PAM parsing the comment and treating the first word as an illegal module type. After reinstating the # it all works perfectly. |
|
| Author: | Tom2 [ Tue Jul 21, 2015 12:03 pm ] |
| Post subject: | Re: [S!] Challenge-response success, still can't log in (Lin |
Please read rules of the board: viewtopic.php?f=25&t=937&p=3515#p3515 |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|