Yubico Forum

issue with yubikey and pam.d on centos 6.5
Page 1 of 1

Author:  prensrfc [ Tue Jul 01, 2014 4:16 pm ]
Post subject:  issue with yubikey and pam.d on centos 6.5

Hi, i've got a weird problem which I can't seem to diagnose.

I have 2 near identical Centos 6.5 servers, one a standard install "Web Server" build and one a standard install "Database Server" build, not had a chance to mess with them in order to add anything non standard apart from for yubikey;

cat /etc/redhat-release;
CentOS release 6.5 (Final)

 uname -r;

pulled the latest rpm's from epel repo;
Installed: libyubikey-1.11-2.el6.x86_64
Installed: ykpers-1.6.2-1.el6.x86_64
Installed: ykclient-2.7-1.el6.x86_64
Installed: pam_yubico-2.13-1.el6.x86_64

/etc/pam.d/sshd has the following;
auth       required     pam_yubico.so id=[MYCODE] key=[MYKEY] debug authfile=/etc/yubikeys url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s

/etc/yubikeys contains the correct key for the user

/etc/ssh/sshd_config has the following added/enabled;
PermitEmptyPasswords no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes

and on one server (the web version) it works perfectly and on the other (the db version) it doesn't!

only error message is in /var/log/secure;
Jul  1 15:41:14 localhost sshd[6134]: Postponed keyboard-interactive for USER from IPADDR port 55814 ssh2
Jul  1 15:41:19 localhost sshd[6134]: Postponed keyboard-interactive/pam for USER from IPADDR port 55814 ssh2
Jul  1 15:41:26 localhost sshd[6133]: error: PAM: Authentication service cannot retrieve authentication info for USER from IPADDR

the only thing that is noticeable is is a slight delay after the Yubikey is pressed and before the password is asked for on the working server and it there is no delay on the non-working server.

both network's look okay and can resolve the api address fine, i can't seem to see any explanation for this.

anyone any ideas?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group