Yubico Forum
https://forum.yubico.com/

[BUG] pam config no longer working after SSL renewal
https://forum.yubico.com/viewtopic.php?f=23&t=1448
Page 1 of 1

Author:  hobleyd [ Wed Aug 20, 2014 1:24 pm ]
Post subject:  [BUG] pam config no longer working after SSL renewal

Hello,

I have a couple of Yubikeys which I have configured with my own authentication server; I have pam configured to use that server and it has all been working well.

I renewed my ssl certificates a few days ago and since then, the pam authentication has failed to work. If I put pam into debug mode, I get:

[pam_yubico.c:pam_sm_authenticate(972)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: <OTP> ID: cccccccccccb
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (101): Could not parse server response
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication service cannot retrieve authentication info]

However, if I run curl from the command line to double check things:

curl "https://<url>/wsapi/2.0/verify?id=1&otp=cccccccccccbuejgbetvinrggvhbblghibrlbnefudif&nonce=12345678901234567890"
h=ZNrvPCKBjfbPA6sVuBaIQcZ2wtc=
t=2014-08-20T10:50:53Z0954
otp=cccccccccccbuejgbetvinrggvhbblghibrlbnefudif
nonce=12345678901234567890
sl=0
status=OK

If I put the old SSL certs back in place, everything starts working again. The only thing I can think of is that I use a 4096 byte SSL key, rather than the standard 2048 - could this case the issue?

Any idea how I can debug things? The rest of my SSL infrastructure works fine - Firefox recognises everything as normal; curl has no issues, I don't really know where to go next...

The pam config is:

auth sufficient pam_yubico.so debug id=1 url=https://<url>/wsapi/2.0/verify?id=%d&otp=%s

Cheers,
David

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/