Yubico Forum :: View topic - Yubikey SSH ykclient issue 106

Hello,

The BAD_SERVER_SIGNATURE error is returned from the client when the signature on the server response doesn't match with the api-key inputted. Verify that the you've inputted the correct key from https://upgrade.yubico.com/getapikey/

/klas

user@test:~$ dpkg -l | grep yu
ii libkeyutils1 1.4-1 Linux Key Management Utilities (library)
rc libyubikey0 1.5-1 Yubikey OTP handling library runtime
user@test:~$ dpkg -l | grep liby
ii libyaml-perl 0.71-1 YAML Ain't Markup Language
ii libyaml-syck-perl 1.12-1 Perl module providing a fast, lightweight YAML loader and dumper
ii libykclient-dev 2.3-3 Yubikey client library development files
ii libykclient3 2.3-3 Yubikey client library runtime
rc libyubikey0 1.5-1 Yubikey OTP handling library runtime
user@test:~$ dpkg -l | grep libusb
ri libusb-0.1-4 2:0.1.12-16 userspace USB programming library
ri libusb-1.0-0 2:1.0.8-2 userspace USB programming library
ii libusb-1.0-0-dev 2:1.0.8-2 userspace USB programming library development files
ii libusb-dev 2:0.1.12-16 userspace USB programming library development files
rc libusbmuxd1 1.0.4-1 USB multiplexor daemon for iPhone and iPod Touch devices - library

Author:	yann [ Sun Aug 05, 2012 1:05 pm ]
Post subject:	Yubikey SSH ykclient issue 106
Dear Yubico-forum users, I recently bought an yubikey, and trying to set it up with ssh (two factor authentication). Going through all the steps from the Hak5 video, plus a lot of forums, github wiki's and google code groups, I still can't get it to work. (It's making me not sleep). Some details: (Yeah, the server is an raspberry pi) Operating System: Linux 3.2.20-rpi1+ #5 Sun Jun 17 15:59:27 BST 2012 armv6l GNU/Linux Versions: Libykclient-dev 2.3-3 Libykclient3 2.3-3 Libkeyutils1 1.4-1 Libyubikey0 1.5-1 yubico-c-client ==> latest pull from github yubikey-personalization ==> latest pull from github yubico-pam ==> latest pull from github Hereby I want to ask what is the solution to this error code: <--snip--> [pam_yubico.c:pam_sm_authenticate(901)] conv returned 55 bytes [pam_yubico.c:pam_sm_authenticate(919)] Skipping first 11 bytes. Length is 55, token_id set to 12 and token OTP always 32. [pam_yubico.c:pam_sm_authenticate(926)] OTP: xxxx ID: xxxx [pam_yubico.c:pam_sm_authenticate(941)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK [pam_yubico.c:pam_sm_authenticate(957)] ykclient return value (106): Server response signature was invalid (BAD_SERVER_SIGNATURE) [pam_yubico.c:pam_sm_authenticate(997)] done. [Authentication service cannot retrieve authentication info] </--snip--> I can only login to ssh with the yubikey, if I put 'sufficient' instead of 'required' in /etc/pam.d/sshd. However, making auth sufficient, it isn't two factor authentication anymore. [/etc/pam.d/sshd] <--snip--> auth required pam_yubico.so id=xxxx key=xxxxx= debug </--snip--> Now the ssh server is only requesting the password, whereby I can login over ssh (without yubikey, even though all the configuration options are set). I am using the YubiCloud to verify the key. (default) When I try to authenticate, to the default yubico servers, using ykclient only it is successful. When making yubikey-personalization, I also get the following warning: ykpersonalize.c:69: warning: initialization makes integer from pointer without a cast Thanks in advance.

Author:	Klas [ Mon Aug 06, 2012 8:53 am ]
Post subject:	Re: Yubikey SSH ykclient issue 106
Hello, The BAD_SERVER_SIGNATURE error is returned from the client when the signature on the server response doesn't match with the api-key inputted. Verify that the you've inputted the correct key from https://upgrade.yubico.com/getapikey/ /klas

Author:	yann [ Mon Aug 06, 2012 9:37 am ]
Post subject:	Re: Yubikey SSH ykclient issue 106
Klas-at-Yubico wrote: Hello, The BAD_SERVER_SIGNATURE error is returned from the client when the signature on the server response doesn't match with the api-key inputted. Verify that the you've inputted the correct key from https://upgrade.yubico.com/getapikey/ /klas Yeah, did that. Still get BAD_SERVER_SIGNATURE (even though I tried a few api keys, and waited a time). Now when I issue ykclient --apikey KEY ID OTP, it gives me the 106 BAD_SERVER_SIGNATURE error. [EDIT]: I reinstalled everything, and I stil get the 106 error. Also, I noticed that I have multiple versions of libusb. Is this normal? Code: user@test:~$ dpkg -l \| grep yu ii libkeyutils1 1.4-1 Linux Key Management Utilities (library) rc libyubikey0 1.5-1 Yubikey OTP handling library runtime user@test:~$ dpkg -l \| grep liby ii libyaml-perl 0.71-1 YAML Ain't Markup Language ii libyaml-syck-perl 1.12-1 Perl module providing a fast, lightweight YAML loader and dumper ii libykclient-dev 2.3-3 Yubikey client library development files ii libykclient3 2.3-3 Yubikey client library runtime rc libyubikey0 1.5-1 Yubikey OTP handling library runtime user@test:~$ dpkg -l \| grep libusb ri libusb-0.1-4 2:0.1.12-16 userspace USB programming library ri libusb-1.0-0 2:1.0.8-2 userspace USB programming library ii libusb-1.0-0-dev 2:1.0.8-2 userspace USB programming library development files ii libusb-dev 2:0.1.12-16 userspace USB programming library development files rc libusbmuxd1 1.0.4-1 USB multiplexor daemon for iPhone and iPod Touch devices - library

Author:	Klas [ Mon Aug 06, 2012 1:15 pm ]
Post subject:	Re: Yubikey SSH ykclient issue 106
You seem to be quite correct. I've started up an emulated ARM machine and I run into signature problems, something is buggy with the request signing on ARM. I'm working on finding and fixing it. /klas

Author:	Klas [ Mon Aug 06, 2012 2:06 pm ]
Post subject:	Re: Yubikey SSH ykclient issue 106
Hello again, I've now pushed a possible fix (https://github.com/Yubico/yubico-c-clie ... 0ed97cda40) for this issue to github, with this fix my emulated ARM machine works as it should. Thanks for taking the time to report this issue! /klas

Yubico Forum https://forum.yubico.com/

Yubikey SSH ykclient issue 106 https://forum.yubico.com/viewtopic.php?f=5&t=842	Page 1 of 1

Author:	yann [ Mon Aug 06, 2012 3:37 pm ]
Post subject:	Re: Yubikey SSH ykclient issue 106
Klas-at-Yubico wrote: Hello again, I've now pushed a possible fix (https://github.com/Yubico/yubico-c-clie ... 0ed97cda40) for this issue to github, with this fix my emulated ARM machine works as it should. Thanks for taking the time to report this issue! /klas [EDIT]: Wow! Thanks alot!!! Saved my day! No thanks, thank you ;-0 I hereby confirm that SSH-yubikey two-factor authentication is grand on an Rasperry Pi. (ARM)

Author:	fozzy [ Wed May 01, 2013 1:37 pm ]
Post subject:	Re: Yubikey SSH ykclient issue 106
Would you mind documenting how you've setup your raspberrypi for yubikey authentication. Taking it a step further, a raspberrypi port of the yubiradius server would be excellent for a home authentication server.

Author:	multiOTP [ Sat Dec 20, 2014 3:52 am ]
Post subject:	Re: Yubikey SSH ykclient issue 106
fozzy wrote: Would you mind documenting how you've setup your raspberrypi for yubikey authentication. Taking it a step further, a raspberrypi port of the yubiradius server would be excellent for a home authentication server. Hello, I've published an optimized Raspberry Pi binary image of multiOTP open source, a strong authentication RADIUS server with a simple web GUI that supports Yubikeys and also OATH-HOTP and OATH-TOTP hardware or software tokens. multiOTP open source is based on our open source PHP library. You can have a look here: http://www.multiotp.net/ And the direct download of the Raspberry Pi image is here: http://download.multiotp.net/raspberry/ Best regards, Andre Liechti Project leader of multiOTP open source

Author:	Tom2 [ Mon Dec 22, 2014 9:54 am ]
Post subject:	Re: Yubikey SSH ykclient issue 106
Thanks, this is interesting. Tom

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/