search

Yubico / yubico-pam

Yubico Pluggable Authentication Module (PAM)
https://developers.yubico.com/yubico-pam
BSD 2-Clause "Simplified" License
683 stars 115 forks source link

Yubikey pam error when using challenge-response #100

Open Carlgo11 opened 8 years ago

Carlgo11 commented 8 years ago

Hello, I tried to set up my yubikey to pam. When using the client mode it works but when using challenge-response I get the following output half of the time.

carl@ubuntu:~$ sudo -i
[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 32768 argc 8
[../pam_yubico.c:parse_cfg(764)] argv[0]=try_first_pass
[../pam_yubico.c:parse_cfg(764)] argv[1]=authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(764)] argv[2]=chalresp_path=/var/yubico
[../pam_yubico.c:parse_cfg(764)] argv[3]=debug
[../pam_yubico.c:parse_cfg(764)] argv[4]=id=[REMOVED]
[../pam_yubico.c:parse_cfg(764)] argv[5]=key=[REMOVED]
[../pam_yubico.c:parse_cfg(764)] argv[6]=mode=challenge-response
[../pam_yubico.c:parse_cfg(764)] argv[7]=debug
[../pam_yubico.c:parse_cfg(765)] id=[REMOVED]
[../pam_yubico.c:parse_cfg(766)] key=[REMOVED]
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=1
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(775)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(776)] user_attr=(null)
[../pam_yubico.c:parse_cfg(777)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=chresp
[../pam_yubico.c:parse_cfg(783)] chalresp_path=/var/yubico
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: carl
[../pam_yubico.c:do_challenge_response(505)] Loading challenge from file /var/yubico/carl-2575140
[../util.c:load_chalresp_state(269)] Challenge: 1d6bebd9e0aae142ff1f6a1a136100d8ed1b2a488caa207d919959829872fc317b22f9b78ee095ee6f5f36a08484374580b424f3058d69c19777671cc9609b, hashed response: 915995f4806d8613c718af05138da469d5f4a55d, salt: bc76caba32b98f2cde3a092599484baac62a4541cf3e36685af782ba94106886, iterations: 10000, slot: 2
[../pam_yubico.c:do_challenge_response(561)] Challenge-response FAILED
[../pam_yubico.c:do_challenge_response(680)] Yubikey core error: timeout
[../pam_yubico.c:do_challenge_response(689)] Challenge response failed: No such file or directory
[sudo] password for carl

I don't see what the problem is because half of the time it works. For reference this is what it looks like when the challenge response is successful:

carl@ubuntu:~$ sudo -i
[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 32768 argc 8
[../pam_yubico.c:parse_cfg(764)] argv[0]=try_first_pass
[../pam_yubico.c:parse_cfg(764)] argv[1]=authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(764)] argv[2]=chalresp_path=/var/yubico
[../pam_yubico.c:parse_cfg(764)] argv[3]=debug
[../pam_yubico.c:parse_cfg(764)] argv[4]=id=[REMOVED]
[../pam_yubico.c:parse_cfg(764)] argv[5]=key=[REMOVED]
[../pam_yubico.c:parse_cfg(764)] argv[6]=mode=challenge-response
[../pam_yubico.c:parse_cfg(764)] argv[7]=debug
[../pam_yubico.c:parse_cfg(765)] id=[REMOVED]
[../pam_yubico.c:parse_cfg(766)] key=[REMOVED]
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=1
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(775)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(776)] user_attr=(null)
[../pam_yubico.c:parse_cfg(777)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=chresp
[../pam_yubico.c:parse_cfg(783)] chalresp_path=/var/yubico
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: carl
[../pam_yubico.c:do_challenge_response(505)] Loading challenge from file /var/yubico/carl-2575140
[../util.c:load_chalresp_state(269)] Challenge: 1d6bebd9e0aae142ff1f6a1a136100d8ed1b2a488caa207d919959829872fc317b22f9b78ee095ee6f5f36a08484374580b424f3058d69c19777671cc9609b, hashed response: 915995f4806d8613c718af05138da469d5f4a55d, salt: bc76caba32b98f2cde3a092599484baac62a4541cf3e36685af782ba94106886, iterations: 10000, slot: 2
[../pam_yubico.c:do_challenge_response(583)] Got the expected response, generating new challenge (63 bytes).
[../pam_yubico.c:do_challenge_response(663)] Challenge-response success!
[sudo] password for carl:

Hopefully I didn't paste anything that should be kept secret. If so, please remove that.

klali commented 8 years ago

There's nothing that has to be kept secret in what you pasted. When running in challenge-response mode the key and id parameters are not used.

What version are you running? What version YubiKey are you using it with? Is your key configured for touching the button on challenge response?