| Yubico Forum https://forum.yubico.com/ |
|
| [PROBLEM] pam_yubico and urllist (HA) https://forum.yubico.com/viewtopic.php?f=23&t=1423 |
Page 1 of 1 |
| Author: | jkroepke [ Tue Jul 08, 2014 10:20 am ] |
| Post subject: | [PROBLEM] pam_yubico and urllist (HA) |
Hi, i want to use the pam_yubico Module with Two Factor SSH authentication. Here is my configuration: Code: auth requisite pam_yubico.so id=1 urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify authfile=/etc/yubikey_mappings/authorized_yubikeys debug On the hajvmyk01 server runs two instance of yubico-serve. TFA for SSH is configured on hajvmyk02 (client). Currently http://hajvmyk01:8000/wsapi/2.0/verify is not reachable. (HA failure test). So if I login into the client it successfully login but the log says: Code: [pam_yubico.c:parse_cfg(764)] called. [pam_yubico.c:parse_cfg(765)] flags 1 argc 4 [pam_yubico.c:parse_cfg(767)] argv[0]=id=1 [pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify [pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys [pam_yubico.c:parse_cfg(767)] argv[3]=debug [pam_yubico.c:parse_cfg(768)] id=1 [pam_yubico.c:parse_cfg(769)] key=(null) [pam_yubico.c:parse_cfg(770)] debug=1 [pam_yubico.c:parse_cfg(771)] alwaysok=0 [pam_yubico.c:parse_cfg(772)] verbose_otp=0 [pam_yubico.c:parse_cfg(773)] try_first_pass=0 [pam_yubico.c:parse_cfg(774)] use_first_pass=0 [pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys [pam_yubico.c:parse_cfg(776)] ldapserver=(null) [pam_yubico.c:parse_cfg(777)] ldap_uri=(null) [pam_yubico.c:parse_cfg(778)] ldapdn=(null) [pam_yubico.c:parse_cfg(779)] user_attr=(null) [pam_yubico.c:parse_cfg(780)] yubi_attr=(null) [pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null) [pam_yubico.c:parse_cfg(782)] url=(null) [pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify [pam_yubico.c:parse_cfg(784)] capath=(null) [pam_yubico.c:parse_cfg(785)] token_id_length=12 [pam_yubico.c:parse_cfg(786)] mode=client [pam_yubico.c:parse_cfg(787)] chalresp_path=(null) [pam_yubico.c:pam_sm_authenticate(829)] get user returned: root [pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes [pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32. [pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultktdbfeuhguguvivcldjeugtrbrndfliv ID: vvuficteuult [pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK [pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP) [pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication failure] Authentication failure. Another login fails but the log says: Code: [pam_yubico.c:parse_cfg(764)] called. [pam_yubico.c:parse_cfg(765)] flags 1 argc 4 [pam_yubico.c:parse_cfg(767)] argv[0]=id=1 [pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify [pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys [pam_yubico.c:parse_cfg(767)] argv[3]=debug [pam_yubico.c:parse_cfg(768)] id=1 [pam_yubico.c:parse_cfg(769)] key=(null) [pam_yubico.c:parse_cfg(770)] debug=1 [pam_yubico.c:parse_cfg(771)] alwaysok=0 [pam_yubico.c:parse_cfg(772)] verbose_otp=0 [pam_yubico.c:parse_cfg(773)] try_first_pass=0 [pam_yubico.c:parse_cfg(774)] use_first_pass=0 [pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys [pam_yubico.c:parse_cfg(776)] ldapserver=(null) [pam_yubico.c:parse_cfg(777)] ldap_uri=(null) [pam_yubico.c:parse_cfg(778)] ldapdn=(null) [pam_yubico.c:parse_cfg(779)] user_attr=(null) [pam_yubico.c:parse_cfg(780)] yubi_attr=(null) [pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null) [pam_yubico.c:parse_cfg(782)] url=(null) [pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify;http://hajvmyk01:8002/wsapi/2.0/verify [pam_yubico.c:parse_cfg(784)] capath=(null) [pam_yubico.c:parse_cfg(785)] token_id_length=12 [pam_yubico.c:parse_cfg(786)] mode=client [pam_yubico.c:parse_cfg(787)] chalresp_path=(null) [pam_yubico.c:pam_sm_authenticate(829)] get user returned: root [pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes [pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32. [pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultdgngcbedjirtfuncljkinvjjktktuccc ID: vvuficteuult [pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK [pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (0): Success [pam_yubico.c:authorize_user_token(222)] Using system-wide auth_file /etc/yubikey_mappings/authorized_yubikeys [pam_yubico.c:check_user_token(179)] Authorization line: root:vvuficteuult [pam_yubico.c:check_user_token(183)] Matched user: root [pam_yubico.c:check_user_token(188)] Authorization token: vvuficteuult [pam_yubico.c:check_user_token(191)] Match user/token as root/vvuficteuult [pam_yubico.c:pam_sm_authenticate(1089)] done. [Success] Success. The 3rd try is a little bit strange, it will be timeouted. Log: Code: [pam_yubico.c:parse_cfg(764)] called. [pam_yubico.c:parse_cfg(765)] flags 1 argc 4 [pam_yubico.c:parse_cfg(767)] argv[0]=id=1 [pam_yubico.c:parse_cfg(767)] argv[1]=urllist=http://hajvmyk01:8000/wsapi/2.0/verify [pam_yubico.c:parse_cfg(767)] argv[2]=authfile=/etc/yubikey_mappings/authorized_yubikeys [pam_yubico.c:parse_cfg(767)] argv[3]=debug [pam_yubico.c:parse_cfg(768)] id=1 [pam_yubico.c:parse_cfg(769)] key=(null) [pam_yubico.c:parse_cfg(770)] debug=1 [pam_yubico.c:parse_cfg(771)] alwaysok=0 [pam_yubico.c:parse_cfg(772)] verbose_otp=0 [pam_yubico.c:parse_cfg(773)] try_first_pass=0 [pam_yubico.c:parse_cfg(774)] use_first_pass=0 [pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings/authorized_yubikeys [pam_yubico.c:parse_cfg(776)] ldapserver=(null) [pam_yubico.c:parse_cfg(777)] ldap_uri=(null) [pam_yubico.c:parse_cfg(778)] ldapdn=(null) [pam_yubico.c:parse_cfg(779)] user_attr=(null) [pam_yubico.c:parse_cfg(780)] yubi_attr=(null) [pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null) [pam_yubico.c:parse_cfg(782)] url=(null) [pam_yubico.c:parse_cfg(783)] urllist=http://hajvmyk01:8000/wsapi/2.0/verify [pam_yubico.c:parse_cfg(784)] capath=(null) [pam_yubico.c:parse_cfg(785)] token_id_length=12 [pam_yubico.c:parse_cfg(786)] mode=client [pam_yubico.c:parse_cfg(787)] chalresp_path=(null) [pam_yubico.c:pam_sm_authenticate(829)] get user returned: root [pam_yubico.c:pam_sm_authenticate(972)] conv returned 53 bytes [pam_yubico.c:pam_sm_authenticate(990)] Skipping first 9 bytes. Length is 53, token_id set to 12 and token OTP always 32. [pam_yubico.c:pam_sm_authenticate(997)] OTP: vvuficteuultbjfnlfekbirdgeuejelkjgeekhenhejv ID: vvuficteuult [pam_yubico.c:pam_sm_authenticate(1012)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK The urllist parameter has been changed and is not equal to the pam file. Does anybody know of this problems or what I misconfigured? I use Ubuntu 12.04 and the offical yubico ppa packages. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|