search

Yubico / yubico-pam

Yubico Pluggable Authentication Module (PAM)
https://developers.yubico.com/yubico-pam
BSD 2-Clause "Simplified" License
692 stars 117 forks source link

Ubuntu 18.04 Challenge Response "Resource Temporarliy Unavailable #166

Open dtwiss opened 6 years ago

dtwiss commented 6 years ago

HI, I was trying to get the challenge response working on ubuntu 18.04. It locates my file at /var/yubico and loads the challenge file but it doesn't validate. The debug out out is listed below.

debug: pam_yubico.c:606 (do_challenge_response): Unexpected response: [redacted] debug: pam_yubico.c:724 (do_challenge_response): Challenge-response failed: Resource temporarily unavailable debug: pam_yubico.c:1229 (pam_sm_authenticate): done. [Authentication failure]

klali commented 6 years ago

The "Unexpected response..." string is when the calculated challenge response doesn't match the saved. Did you just register it with ykpamcfg?

Do you get any more debug output than that?

How long is the [redacted] string?

dtwiss commented 6 years ago

@klali Yes I registered the key with ykpamcfg. I used ykpamcfg -2 -v -p /var/yubico to save the file to the yubico file rather than moving it from the ~/.yubico. The whole out put is below.

debug: pam_yubico.c:846 (parse_cfg): called. debug: pam_yubico.c:847 (parse_cfg): flags 32768 argc 4 debug: pam_yubico.c:849 (parse_cfg): argv[0]=mode=challenge-response debug: pam_yubico.c:849 (parse_cfg): argv[1]=chalresp_path=/var/yubico debug: pam_yubico.c:849 (parse_cfg): argv[2]=debug debug: pam_yubico.c:849 (parse_cfg): argv[3]=debug_file=/var/run/pam-debug.log debug: pam_yubico.c:850 (parse_cfg): id=0 debug: pam_yubico.c:851 (parse_cfg): key=(null) debug: pam_yubico.c:852 (parse_cfg): debug=1 debug: pam_yubico.c:853 (parse_cfg): debug_file=5 debug: pam_yubico.c:854 (parse_cfg): alwaysok=0 debug: pam_yubico.c:855 (parse_cfg): verbose_otp=0 debug: pam_yubico.c:856 (parse_cfg): try_first_pass=0 debug: pam_yubico.c:857 (parse_cfg): use_first_pass=0 debug: pam_yubico.c:858 (parse_cfg): nullok=0 debug: pam_yubico.c:859 (parse_cfg): authfile=(null) debug: pam_yubico.c:860 (parse_cfg): ldapserver=(null) debug: pam_yubico.c:861 (parse_cfg): ldap_uri=(null) debug: pam_yubico.c:862 (parse_cfg): ldap_bind_user=(null) debug: pam_yubico.c:863 (parse_cfg): ldap_bind_password=(null) debug: pam_yubico.c:864 (parse_cfg): ldap_filter=(null) debug: pam_yubico.c:865 (parse_cfg): ldap_cacertfile=(null) debug: pam_yubico.c:866 (parse_cfg): ldapdn=(null) debug: pam_yubico.c:867 (parse_cfg): user_attr=(null) debug: pam_yubico.c:868 (parse_cfg): yubi_attr=(null) debug: pam_yubico.c:869 (parse_cfg): yubi_attr_prefix=(null) debug: pam_yubico.c:870 (parse_cfg): url=(null) debug: pam_yubico.c:871 (parse_cfg): urllist=(null) debug: pam_yubico.c:872 (parse_cfg): capath=(null) debug: pam_yubico.c:873 (parse_cfg): cainfo=(null) debug: pam_yubico.c:874 (parse_cfg): proxy=(null) debug: pam_yubico.c:875 (parse_cfg): token_id_length=12 debug: pam_yubico.c:876 (parse_cfg): mode=chresp debug: pam_yubico.c:877 (parse_cfg): chalresp_path=/var/yubico debug: pam_yubico.c:907 (pam_sm_authenticate): pam_yubico version: 2.27 debug: pam_yubico.c:922 (pam_sm_authenticate): get user returned: dt debug: pam_yubico.c:926 (pam_sm_authenticate): libykpers version: 1.19.1 debug: pam_yubico.c:496 (do_challenge_response): Checking for user challenge files debug: pam_yubico.c:499 (do_challenge_response): Challenge files found debug: util.c:230 (check_firmware_version): YubiKey Firmware version: 4.3.3 debug: pam_yubico.c:534 (do_challenge_response): Loading challenge from file /var/yubico/dt-5423791 debug: util.c:453 (load_chalresp_state): Challenge:
debug: pam_yubico.c:606 (do_challenge_response): Unexpected response: debug: pam_yubico.c:724 (do_challenge_response): Challenge-response failed: Resource temporarily unavailable debug: pam_yubico.c:1229 (pam_sm_authenticate): done. [Authentication failure]

m10k commented 6 years ago

I am getting the exact same behavior on Devuan ascii with kernel version 4.17.6. I first tried compiling against libusb, which gave me the error "Device or resource busy". Compiling against libusb-1.0 gives the error "Resource temporarily unavailable".

My libusb is version 0.1.12 My libusb-1.0 is version 1.0.21

debug: pam_yubico.c:846 (parse_cfg): called.
debug: pam_yubico.c:847 (parse_cfg): flags 0 argc 5
debug: pam_yubico.c:849 (parse_cfg): argv[0]=nullok
debug: pam_yubico.c:849 (parse_cfg): argv[1]=mode=challenge-response
debug: pam_yubico.c:849 (parse_cfg): argv[2]=chalresp_path=/var/lib/yubico
debug: pam_yubico.c:849 (parse_cfg): argv[3]=debug
debug: pam_yubico.c:849 (parse_cfg): argv[4]=debug_file=/var/log/yubico/pam.log
debug: pam_yubico.c:850 (parse_cfg): id=0
debug: pam_yubico.c:851 (parse_cfg): key=(null)
debug: pam_yubico.c:852 (parse_cfg): debug=1
debug: pam_yubico.c:853 (parse_cfg): debug_file=3
debug: pam_yubico.c:854 (parse_cfg): alwaysok=0
debug: pam_yubico.c:855 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:856 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:857 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:858 (parse_cfg): nullok=1
debug: pam_yubico.c:859 (parse_cfg): authfile=(null)
debug: pam_yubico.c:860 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:861 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:862 (parse_cfg): ldap_bind_user=(null)
debug: pam_yubico.c:863 (parse_cfg): ldap_bind_password=(null)
debug: pam_yubico.c:864 (parse_cfg): ldap_filter=(null)
debug: pam_yubico.c:865 (parse_cfg): ldap_cacertfile=(null)
debug: pam_yubico.c:866 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:867 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:868 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:869 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:870 (parse_cfg): url=(null)
debug: pam_yubico.c:871 (parse_cfg): urllist=(null)
debug: pam_yubico.c:872 (parse_cfg): capath=(null)
debug: pam_yubico.c:873 (parse_cfg): cainfo=(null)
debug: pam_yubico.c:874 (parse_cfg): proxy=(null)
debug: pam_yubico.c:875 (parse_cfg): token_id_length=12
debug: pam_yubico.c:876 (parse_cfg): mode=chresp
debug: pam_yubico.c:877 (parse_cfg): chalresp_path=/var/lib/yubico
debug: pam_yubico.c:907 (pam_sm_authenticate): pam_yubico version: 2.27
debug: pam_yubico.c:922 (pam_sm_authenticate): get user returned: mk
debug: pam_yubico.c:926 (pam_sm_authenticate): libykpers version: 1.19.1
debug: pam_yubico.c:496 (do_challenge_response): Checking for user challenge files
debug: pam_yubico.c:499 (do_challenge_response): Challenge files found
debug: util.c:230 (check_firmware_version): YubiKey Firmware version: 3.5.0
debug: pam_yubico.c:534 (do_challenge_response): Loading challenge from file /var/lib/yubico/mk-7334055
debug: util.c:453 (load_chalresp_state): Challenge: [63B challenge data], hashed response: [20B response], salt: [32B salt], iterations: 10000, slot: 2
debug: pam_yubico.c:606 (do_challenge_response): Unexpected response: [20B data]
debug: pam_yubico.c:724 (do_challenge_response): Challenge-response failed: Resource temporarily unavailable
debug: pam_yubico.c:1229 (pam_sm_authenticate): done. [Authentication failure]

Interestingly, I have another machine with Devuan ascii and yubico-pam installed from the Devuan repositories where the challenge response succeeds.