Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:44 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 9 posts ] 
Author Message
PostPosted: Sun Aug 05, 2012 1:05 pm 
Offline

Joined: Sun Aug 05, 2012 1:00 pm
Posts: 3
Dear Yubico-forum users,

I recently bought an yubikey, and trying to set it up with ssh (two factor authentication).
Going through all the steps from the Hak5 video, plus a lot of forums, github wiki's and google code groups, I still can't get it to work. (It's making me not sleep).

Some details:
(Yeah, the server is an raspberry pi)

Operating System: Linux 3.2.20-rpi1+ #5 Sun Jun 17 15:59:27 BST 2012 armv6l GNU/Linux

Versions:

Libykclient-dev 2.3-3
Libykclient3 2.3-3
Libkeyutils1 1.4-1
Libyubikey0 1.5-1

yubico-c-client ==> latest pull from github
yubikey-personalization ==> latest pull from github
yubico-pam ==> latest pull from github



Hereby I want to ask what is the solution to this error code:



<--snip-->


[pam_yubico.c:pam_sm_authenticate(901)] conv returned 55 bytes
[pam_yubico.c:pam_sm_authenticate(919)] Skipping first 11 bytes. Length is 55, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(926)] OTP: xxxx ID: xxxx
[pam_yubico.c:pam_sm_authenticate(941)] Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[pam_yubico.c:pam_sm_authenticate(957)] ykclient return value (106): Server response signature was invalid (BAD_SERVER_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(997)] done. [Authentication service cannot retrieve authentication info]




</--snip-->

I can only login to ssh with the yubikey, if I put 'sufficient' instead of 'required' in /etc/pam.d/sshd.
However, making auth sufficient, it isn't two factor authentication anymore.

[/etc/pam.d/sshd]
<--snip-->
auth required pam_yubico.so id=xxxx key=xxxxx= debug
</--snip-->

Now the ssh server is only requesting the password, whereby I can login over ssh (without yubikey, even though all the configuration options are set).
I am using the YubiCloud to verify the key. (default)
When I try to authenticate, to the default yubico servers, using ykclient only it is successful.

When making yubikey-personalization, I also get the following warning:


ykpersonalize.c:69: warning: initialization makes integer from pointer without a cast



Thanks in advance.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Aug 06, 2012 8:53 am 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

The BAD_SERVER_SIGNATURE error is returned from the client when the signature on the server response doesn't match with the api-key inputted. Verify that the you've inputted the correct key from https://upgrade.yubico.com/getapikey/

/klas


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 9:37 am 
Offline

Joined: Sun Aug 05, 2012 1:00 pm
Posts: 3
Klas-at-Yubico wrote:
Hello,

The BAD_SERVER_SIGNATURE error is returned from the client when the signature on the server response doesn't match with the api-key inputted. Verify that the you've inputted the correct key from https://upgrade.yubico.com/getapikey/

/klas


Yeah, did that. Still get BAD_SERVER_SIGNATURE (even though I tried a few api keys, and waited a time).
Now when I issue ykclient --apikey KEY ID OTP, it gives me the 106 BAD_SERVER_SIGNATURE error.

[EDIT]:

I reinstalled everything, and I stil get the 106 error.
Also, I noticed that I have multiple versions of libusb. Is this normal?

Code:
user@test:~$ dpkg -l | grep yu
ii  libkeyutils1                      1.4-1                           Linux Key Management Utilities (library)
rc  libyubikey0                       1.5-1                           Yubikey OTP handling library runtime
user@test:~$ dpkg -l | grep liby
ii  libyaml-perl                      0.71-1                          YAML Ain't Markup Language
ii  libyaml-syck-perl                 1.12-1                          Perl module providing a fast, lightweight YAML loader and dumper
ii  libykclient-dev                   2.3-3                           Yubikey client library development files
ii  libykclient3                      2.3-3                           Yubikey client library runtime
rc  libyubikey0                       1.5-1                           Yubikey OTP handling library runtime
user@test:~$ dpkg -l | grep libusb
ri  libusb-0.1-4                      2:0.1.12-16                     userspace USB programming library
ri  libusb-1.0-0                      2:1.0.8-2                       userspace USB programming library
ii  libusb-1.0-0-dev                  2:1.0.8-2                       userspace USB programming library development files
ii  libusb-dev                        2:0.1.12-16                     userspace USB programming library development files
rc  libusbmuxd1                       1.0.4-1                         USB multiplexor daemon for iPhone and iPod Touch devices - library


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 1:15 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
You seem to be quite correct. I've started up an emulated ARM machine and I run into signature problems, something is buggy with the request signing on ARM. I'm working on finding and fixing it.

/klas


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 2:06 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello again,

I've now pushed a possible fix (https://github.com/Yubico/yubico-c-clie ... 0ed97cda40) for this issue to github, with this fix my emulated ARM machine works as it should.

Thanks for taking the time to report this issue!

/klas


Top
 Profile  
Reply with quote  
PostPosted: Mon Aug 06, 2012 3:37 pm 
Offline

Joined: Sun Aug 05, 2012 1:00 pm
Posts: 3
Klas-at-Yubico wrote:
Hello again,

I've now pushed a possible fix (https://github.com/Yubico/yubico-c-clie ... 0ed97cda40) for this issue to github, with this fix my emulated ARM machine works as it should.

Thanks for taking the time to report this issue!

/klas


[EDIT]:
Wow! Thanks alot!!! Saved my day! No thanks, thank you ;-0
I hereby confirm that SSH-yubikey two-factor authentication is grand on an Rasperry Pi. (ARM)


Top
 Profile  
Reply with quote  
PostPosted: Wed May 01, 2013 1:37 pm 
Offline

Joined: Tue Oct 02, 2012 3:54 am
Posts: 4
Would you mind documenting how you've setup your raspberrypi for yubikey authentication.

Taking it a step further, a raspberrypi port of the yubiradius server would be excellent for a home authentication server.


Top
 Profile  
Reply with quote  
PostPosted: Sat Dec 20, 2014 3:52 am 
Offline

Joined: Sat Dec 20, 2014 2:59 am
Posts: 4
fozzy wrote:
Would you mind documenting how you've setup your raspberrypi for yubikey authentication.

Taking it a step further, a raspberrypi port of the yubiradius server would be excellent for a home authentication server.


Hello, I've published an optimized Raspberry Pi binary image of multiOTP open source, a strong authentication RADIUS server with a simple web GUI that supports Yubikeys and also OATH-HOTP and OATH-TOTP hardware or software tokens. multiOTP open source is based on our open source PHP library.

You can have a look here: http://www.multiotp.net/

And the direct download of the Raspberry Pi image is here: http://download.multiotp.net/raspberry/

Best regards,

Andre Liechti
Project leader of multiOTP open source


Top
 Profile  
Reply with quote  
PostPosted: Mon Dec 22, 2014 9:54 am 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Thanks, this is interesting.

Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group