yubico / yubico-pam Goto Github PK
View Code? Open in Web Editor NEWYubico Pluggable Authentication Module (PAM)
Home Page: https://developers.yubico.com/yubico-pam
License: BSD 2-Clause "Simplified" License
yubico-pam's People
Contributors
Stargazers
Watchers
Forkers
tfheen lecoyote hypatia olivgat swop cnanakos dr8 jkdingwall ronys axtl binetreseau jessesanford soniam darkshade9 wernerb eworm-de dsqmoore c0sco kyonetca meeh420 adimallikarjunareddy bgarlock alexjfisher bwlv mabels lordsaibat olegziakun erikthorselius shanx neverpanic sdigit akazakov thexfactor2011 zhulianhai afeinberg reelsense sravan-apps shankerwangmiao amshaegar13 jonnywhatshisface hypyrdev aravinthu c0psrul3 fintechmq okulik thomaspatzke mickael9 larhard mrkvak ellerbrock andrewstuart andyneff rgtx mtaillefumier kbabioch disneylucy blockchainidentityvault summer0820 dalavancloud no-jochs terop happy-ferret ssgelm carpalis buzzert syutbai cryptobuks frederick888 norwegianrockcat zypa13510 marc-sensenich betterjason365 labuwx privacytoolkit edmundoferreira liumorgan bored-engineer tigerly thecompuguru fbion wjcx-zh baimard anonymousdevteam yubi-david crashvb pavel-petrenko caminante99 classicvalues eva430 ekmixon cfwhisperer mastermind88 rains31 surfndez qubo-ft lboue isabella232 wicwik sergeyzubrilin redbaron13yubico-pam's Issues
`sufficient` in Mac OS X pam.conf causes hijack warning
On 10.11 with pam_yubico 2.19, when I change control-flag in a working configuration to sufficient from required, I can login with password and no Yubikey inserted, and this appears in the console log:
21/09/2015 17:03:01.737 com.apple.xpc.launchd[1]: (com.apple.xpc.launchd.domain.user.501) Service "com.apple.xpc.launchd.unmanaged.loginwindow.87271" tried to hijack endpoint "com.apple.tsm.uiserver" from owner: com.apple.SystemUIServer.agent
When I change it back, it starts working again. This means it is not possible to unlock by only inserting the Yubikey, without entering a password. /etc/pam.d/screensaver:
# screensaver: auth account
auth optional pam_krb5.so use_first_pass use_kcminit
auth required pam_opendirectory.so use_first_pass nullok
auth required /usr/local/lib/pam_yubico.so mode=challenge-response debug
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe
2nd server from urllist kicked out.
Hi,
mostly after two or three authentifications, urllist will be stripped.
All servers are working in the urllist.
I have uploaded the /var/run/pam-debug.log to http://pastebin.com/s4hYZY6t
I use a standard ubuntu 12.04 lts server included yubico ppa package and latest version of the pam package.
LDAP Client TLS Certificate
There doesn't appear to be a way to have yubico-pam use a client certificate when connecting to a remote LDAP server. That ought to get fixed
Add multiple validation servers as argument
original issue: http://code.google.com/p/yubico-pam/issues/detail?id=48
Would be nice to be able to have another parameter urls where can add more than one validation server to use for validation
Yubico-pam stalls on freebsd
Hi,
I'm currently evaluating the use of pfsense / openvpn / yubico-pam module for a client with my existing yubikey neo.
I'm using pfSense 2.2, which is based on FreeBSD 10.1.
I used the pkg manager to add yubico-pam, and called the openvpn-pam-auth lib to invoke the yubico-pam, which worked like a charm.
However, the request stalls...
For this reason, I added the yubico-pam to /etc/pam.d/su with debug on and tried switching user.
The reason that I chose an OTP not generated by a yubikey was to force a debug output that I knew would be generated when I read the source code.
But trying a correct OTP string still stalls the client. No tcp requests to api.yubico.com
[quote]
debug: pam_yubico.c:972 (pam_sm_authenticate): conv returned 44 bytes
debug: pam_yubico.c:990 (pam_sm_authenticate): Length is 44, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:997 (pam_sm_authenticate): OTP: cccccccccccccjtctghhifcbrjeeivgdvecgfvtgfrrd ID: cccccccccccc
[/quote]
This stalls the client completely.
After reading the source code, I found a few more DBG outputs, and to force another output I generated a OTP with to many characters.
Debug output shows the following:
[quote]
debug: pam_yubico.c:972 (pam_sm_authenticate): conv returned 45 bytes
debug: pam_yubico.c:990 (pam_sm_authenticate): Skipping first 1 bytes. Length is 45, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:997 (pam_sm_authenticate): OTP: sdfölkjasdflökjasdflökjasdflökjasdfölkj ID: sdfölkjasdf
debug: pam_yubico.c:1012 (pam_sm_authenticate): Extracted a probable system password entered before the OTP - setting item PAM_AUTHTOK
[/quote]
With this new information the pam apparently stalls somewhere within these lines of code:
[quote]
retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd);
free (onlypasswd);
if (retval != PAM_SUCCESS)
{
DBG (("set_item returned error: %s", pam_strerror (pamh, retval)));
goto done;
}
}
else
password = NULL;
rc = ykclient_request (ykc, otp);
[/quote]
My suspicion is that it is the ykclient_request (ykc, otp) that won't work... But all libs are installed and linked into /usr/lib... Any ideas?
BR
//David
sudo segfaults
I'm able to use my yubikey for logins, that works,
but when trying to apply it on sudo.. it segfaults
this is in my pam.d/common-auth:
auth sufficient pam_yubico.so id=16 authfile=/etc/yubikey_mappings
pieter@Sesam:~$ sudo su -
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 32768 argc 3
[pam_yubico.c:parse_cfg(767)] argv[0]=id=16
[pam_yubico.c:parse_cfg(767)] argv[1]=authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(767)] argv[2]=debug
[pam_yubico.c:parse_cfg(768)] id=16
[pam_yubico.c:parse_cfg(769)] key=(null)
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mappings
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist=(null)
[pam_yubico.c:parse_cfg(784)] capath=(null)
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(830)] get user returned: pieter
YubiKey for `pieter':
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: [REDACTED] ID: [REDACTED]
Segmentation fault (core dumped)
The redacted part is correct
Using Ubuntu 14.04 64bit
using this PPA:
deb http://ppa.launchpad.net/yubico/stable/ubuntu trusty main
deb-src http://ppa.launchpad.net/yubico/stable/ubuntu trusty main
Version:
2.17-1~ppa2~trusty1
investigate osx installer
Investigate if it's worth building a binary osx installer for the pam module, maybe that could also help with configuration.
LDAP search doesn't support SUBTREE searches
original issue: http://code.google.com/p/yubico-pam/issues/detail?id=55
What steps will reproduce the problem?
Our LDAP has the structure:
ou=users
ou=staff
ou=students
ou=professors
The pam module just does a seach for the key using LDAP_SCOPE_BASE instead of LDAP_SCOPE_SUBTREE
In addition, the call to ldap_search_ext_s is done slightly wrong, passing the filters as the base, and giving the filter as NULL. (this still works, but is not right I believe.
What is the expected output? What do you see instead?
Expected it to find the user with the yubikey, instead it didn't find it.
What version of the product are you using? On what operating system?
Linux with yubico-pam 2.12
Please provide any additional information below.
I've applied the following change and it works fine for us:
- sprintf (find, "%s=%s,%s", cfg->user_attr, user, cfg->ldapdn);
- sprintf (find, "%s=%s", cfg->user_attr, user);
attrs[0] = (char *) cfg->yubi_attr;
DBG(("LDAP : look up object '%s', ask for attribute '%s'", find, cfg->yubi_attr));
/* Search for the entry. */
- if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE,
-
NULL, attrs, 0, NULL, NULL, LDAP_NO_LIMIT, - if ((rc = ldap_search_ext_s (ld, cfg->ldapdn, LDAP_SCOPE_SUBTREE,
-
find, attrs, 0, NULL, NULL, LDAP_NO_LIMIT, LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
Failed typing and YubiCloud
When using client mode:
In case I forgot to press button and type my system password first instead yubikey. How yubico-pam check password?
Is it first checking Yubikey ID from authorized_yubikeys and if first 12 letters not the same - password rejects without sending to YubiCloud or all typing always transmitting to YubiCloud?
Successfully ssh authentication w/ REPLAYED_OTP
Hi,
i dont know if this is expected.
If I login into my yubikey protected server with the correct password + otp. I will always get a REPLAYED_OTP status and a "Authentication failure" message. But I get a valid shell on ssh.
I have uploaded the /var/run/pam-debug.log to http://pastebin.com/s4hYZY6t
I use a standard ubuntu 12.04 lts server included yubico ppa package and latest version of the pam package.
Ldap subtree browsing and ulrlist format
Hello list,
I'm implementing 2FA with yubico and ldap, and at the moment everything works fine (storing and retrieving yubikeyID from ldap ean authenticating user via pam).
The first problem I'm facing is thata pam_yubico.so module doesn't perform ldap subtree search, ad so users must be limited to to the ldapdn, and so a user cn=foo,ou=user,dc=example,dc=com is found, while cn=foo,ou=extern,ou=user,dc=example,dc=com is not found.
The version from https://github.com/alexjfisher/yubico-pam overcomes this problem, but i'd prefer to use the official version: do you plan to integrate such a change?
Another thing (as in the subject) is the urllist format: using
urllist="http://infra-ldapm-vr1/wsapi/2.0/verify;http://infra-ldaps-vr1/wsapi/2.0/verify" returns
the following (snippet)
[pam_yubico.c:parse_cfg(810)] urllist="http://infra-ldapm-vr1/wsapi/2.0/verify;http://infra-ldaps-vr1/wsapi/2.0/verify"
[pam_yubico.c:parse_cfg(811)] capath=/etc/ssl/private/ldapmBase64-infracomspa.it.cer
[pam_yubico.c:parse_cfg(812)] token_id_length=12
[pam_yubico.c:parse_cfg(813)] mode=client
[pam_yubico.c:parse_cfg(814)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(856)] get user returned: scailotto
[pam_yubico.c:pam_sm_authenticate(877)] get password returned: (null)
[pam_yubico.c:pam_sm_authenticate(999)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(1017)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(1024)] OTP: bedlceglbecignuigciulnfhvliefjifcelrujiidhfi ID: bedlceglbeci
[pam_yubico.c:pam_sm_authenticate(1055)] ykclient return value (101): Could not parse server response
[pam_yubico.c:pam_sm_authenticate(1116)] done. [Authentication service cannot retrieve authentication info]
I see by the validation server logs that only the last one in the list is queried, and it works successfuly, but it seems the reply is not correct; using one single server in urllist (no matter which one) works correctly.
I get the same behaviour both with "official" pam_yubico and with alexjfisher's one.
What's wrong?
Best Regards,
Stefano
Release File Names
Is there a particular reason that releases for yubico-pam just have the version name instead of yubico-pame-<version>.tar.gz? This is inconsistent with other Yubico projects such as for libykneomgr which has libykneomgr-<version>.tar.gz. Without out manual renaming this can cause name collisions for package builders that maintain a cache of source code releases.
Change install instructions on yubico https://developers.yubico.com/yubico-pam/
On the install guide on https://developers.yubico.com/yubico-pam/ it says
$ git clone [email protected]:Yubico/yubico-pam.git yubico-pam
Isn't it better with
$ git clone https://github.com/Yubico/yubico-pam.git
then there is no need to have access to github ssh keys. In my case I wantet to build it on a server.
yubikey 2-factor auth challenge-response for OSX login and screensaver
original issue: http://code.google.com/p/yubico-pam/issues/detail?id=54
What steps will reproduce the problem?
- Installed yubico-pam
- Followed steps outlined to configure PAM here: https://github.com/Yubico/yubico-pam/wiki/ChallengeResponse-(on-Mac-OS-X)
- lot and lots and lots of google
What is the expected output? What do you see instead?
Expected to be able to use yubikey challenge-response in addition to my password (2 factor auth) for both my OSX login and returning from screensave, also for sudo access.
Sudo PAM works great
OSX login and screensaver I can't get working.
What version of the product are you using? On what operating system?
OSX 10.8.4
yubico-pam 2.13
Issue to pass util_test
Hi Yubico :-)
I am been using the key for a long time on debian / ubuntu systems and I am moving now to ArchLinux.
I am trying to install yubico-pam using the git version, I installed all dependencies but I am failing on the last stage ..
I tried to use --without-ldap when running ./configure as I don't need it but it keeps failing when make check install
If anyone has an idea I would appreciate a lot :)
This is the test-suite.log
pam_yubico 2.20: tests/test-suite.log
TOTAL: 3
PASS: 2
SKIP: 0
XFAIL: 0
FAIL: 1
XPASS: 0
ERROR: 0
.. contents:: :depth: 2
FAIL: pam_test
YKVAL mockup started on 30559 at ./aux/ykval.pl line 52.
YKVAL mockup started on 17502 at ./aux/ykval.pl line 52.
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(752)] urllist=(null)
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.20
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (109): Error performing curl
[pam_yubico.c:pam_sm_authenticate(1005)] ykclient url used:
[pam_yubico.c:pam_sm_authenticate(1073)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
test 1 failed!
killed 13963 and 13964
FAIL pam_test (exit status: 1)
Many thanks,
Belette
yubikey with ldap not working
Hi
I am trying to configure yubikey-pam with ldap but its not working.
here is my /etc/pam.d/common-auth settings for yubikey ldap
auth required pam_yubico.so mode=client id=17 key=Zdd= ldap_uri=ldap://localhost ldapdn=ou=accounts,dc=lablynx,dc=com user_attr=uid yubi_attr=yubiKeyId
Here is debug output of pam
[pam_yubico.c:pam_sm_authenticate(997)] OTP: ccccccddnlhuflnunckctdvgrknnnvjrekjittlggitdj ID: ccccccddnlhu
[pam_yubico.c:pam_sm_autenticate(1028)] ykclient return value(0) : Success
[pam_yubico.c:authorize_user_token_ldap(301)] called
[pam_yubico.c:authorize_user_token_ldap(363)] LDAP : look up object 'uid=imran,ou=accounts,dc=lablynx,dc=com', ask for attribute 'yubikeyId'
[pam_yubico.c:authorize_user_token_ldap(370)] ldap_search_ext_s: No such object
[pam_yubico.c:pam_sm_authenticate(1057)] Internal error while validating user
[pam_yubico.c:pam_sm_authenticate(1089)] done. [Authentication service cannot retrieve authentication info]
Here is the output of ldapsearch on console which indicating ldap successuflly validing the yubikey
ldapsearch -xLLL -b "ou=accounts,dc=lablynx,dc=com" yubikeyId=ccccccddnlhu
dn: cn=Imran Sharif,ou=accounts,dc=lablynx,dc=com
uid: imran
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: yubiKeyUser
cn: Imran Sharif
givenName: Imran
sn: Sharif
uidNumber: 2001
gidNumber: 2000
loginShell: /bin/bash
homeDirectory: /home/imran
yubiKeyId: ccccccddnlhu
Would you help me how to solve this issue.
Thanks
Umar
2.19 testsuite fails (ldap_search_ext_s: Operations error)
When compiling yubico-pam 2.19 on Arch Linux, pam_test in the test suite fails with a LDAP error.
- openldap 2.4.40
- pam 1.1.8
===========================================
pam_yubico 2.19: tests/test-suite.log
===========================================
# TOTAL: 3
# PASS: 2
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
FAIL: pam_test
==============
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(752)] urllist=(null)
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(151)] Using system-wide auth_file ./aux/authfile
[util.c:check_user_token(151)] Authorization line: foo:vvincredible
[util.c:check_user_token(156)] Matched user: foo
[util.c:check_user_token(162)] Authorization token: vvincredible
[util.c:check_user_token(166)] Match user/token as foo/vvincredible
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:17502/wsapi/2/verify;http://localhost:30559/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:17502/wsapi/2/verify;http://localhost:30559/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(151)] Using system-wide auth_file ./aux/authfile
[util.c:check_user_token(151)] Authorization line: foo:vvincredible
[util.c:check_user_token(156)] Matched user: foo
[util.c:check_user_token(162)] Authorization token: vvincredible
[util.c:check_user_token(166)] Match user/token as foo/vvincredible
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: bar
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(151)] Using system-wide auth_file ./aux/authfile
[util.c:check_user_token(151)] Authorization line: foo:vvincredible
[util.c:check_user_token(151)] Authorization line: test:cccccccfhcbe:ccccccbchvth:
[pam_yubico.c:pam_sm_authenticate(1041)] Unknown user
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincrediblltrerdegkkrkkneieultcjdghrejjbckh ID: vvincredibll
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(151)] Using system-wide auth_file ./aux/authfile
[util.c:check_user_token(151)] Authorization line: foo:vvincredible
[util.c:check_user_token(156)] Matched user: foo
[util.c:check_user_token(162)] Authorization token: vvincredible
[util.c:check_user_token(162)] Authorization token: (null)
[util.c:check_user_token(151)] Authorization line: test:cccccccfhcbe:ccccccbchvth:
[pam_yubico.c:pam_sm_authenticate(1037)] Unauthorized token for this user
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:30559/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:30559/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckl ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (1): Yubikey OTP was bad (BAD_OTP)
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: test
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: ccccccbchvthlivuitriujjifivbvtrjkjfirllluurj ID: ccccccbchvth
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token(151)] Using system-wide auth_file ./aux/authfile
[util.c:check_user_token(151)] Authorization line: foo:vvincredible
[util.c:check_user_token(151)] Authorization line: test:cccccccfhcbe:ccccccbchvth:
[util.c:check_user_token(156)] Matched user: test
[util.c:check_user_token(162)] Authorization token: cccccccfhcbe
[util.c:check_user_token(162)] Authorization token: ccccccbchvth
[util.c:check_user_token(166)] Match user/token as test/ccccccbchvth
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 7
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(732)] argv[3]=ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(732)] argv[4]=user_attr=uid
[pam_yubico.c:parse_cfg(732)] argv[5]=yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(732)] argv[6]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=(null)
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(748)] user_attr=uid
[pam_yubico.c:parse_cfg(749)] yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token_ldap(238)] called
[pam_yubico.c:authorize_user_token_ldap(282)] try bind anonymous
[pam_yubico.c:authorize_user_token_ldap(312)] LDAP : look up object base='uid=foo,ou=users,dc=example,dc=com' filter='(null)', ask for attribute 'yubiKeyId'
[pam_yubico.c:authorize_user_token_ldap(348)] LDAP : Found 1 values - checking if any of them match 'person::vvincredible'
[pam_yubico.c:authorize_user_token_ldap(348)] LDAP : Found 1 values - checking if any of them match 'vvincredible::vvincredible'
[pam_yubico.c:authorize_user_token_ldap(355)] Token Found :: vvincredible
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 7
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(732)] argv[3]=ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(732)] argv[4]=user_attr=uid
[pam_yubico.c:parse_cfg(732)] argv[5]=yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(732)] argv[6]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=(null)
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(748)] user_attr=uid
[pam_yubico.c:parse_cfg(749)] yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: bar
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token_ldap(238)] called
[pam_yubico.c:authorize_user_token_ldap(282)] try bind anonymous
[pam_yubico.c:authorize_user_token_ldap(312)] LDAP : look up object base='uid=bar,ou=users,dc=example,dc=com' filter='(null)', ask for attribute 'yubiKeyId'
[pam_yubico.c:authorize_user_token_ldap(328)] No result from LDAP search
[pam_yubico.c:pam_sm_authenticate(1041)] Unknown user
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 7
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(732)] argv[3]=ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(732)] argv[4]=user_attr=uid
[pam_yubico.c:parse_cfg(732)] argv[5]=yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(732)] argv[6]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=(null)
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(748)] user_attr=uid
[pam_yubico.c:parse_cfg(749)] yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincrediblltrerdegkkrkkneieultcjdghrejjbckh ID: vvincredibll
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token_ldap(238)] called
[pam_yubico.c:authorize_user_token_ldap(282)] try bind anonymous
[pam_yubico.c:authorize_user_token_ldap(312)] LDAP : look up object base='uid=foo,ou=users,dc=example,dc=com' filter='(null)', ask for attribute 'yubiKeyId'
[pam_yubico.c:authorize_user_token_ldap(348)] LDAP : Found 1 values - checking if any of them match 'person::vvincredibll'
[pam_yubico.c:authorize_user_token_ldap(348)] LDAP : Found 1 values - checking if any of them match 'vvincredible::vvincredibll'
[pam_yubico.c:pam_sm_authenticate(1037)] Unauthorized token for this user
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 7
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(732)] argv[3]=ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(732)] argv[4]=user_attr=uid
[pam_yubico.c:parse_cfg(732)] argv[5]=yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(732)] argv[6]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=(null)
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=ou=users,dc=example,dc=com
[pam_yubico.c:parse_cfg(748)] user_attr=uid
[pam_yubico.c:parse_cfg(749)] yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:30559/wsapi/2/verify;http://localhost:17502/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: test
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: ccccccbchvthlivuitriujjifivbvtrjkjfirllluurj ID: ccccccbchvth
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token_ldap(238)] called
[pam_yubico.c:authorize_user_token_ldap(282)] try bind anonymous
[pam_yubico.c:authorize_user_token_ldap(312)] LDAP : look up object base='uid=test,ou=users,dc=example,dc=com' filter='(null)', ask for attribute 'yubiKeyId'
[pam_yubico.c:authorize_user_token_ldap(348)] LDAP : Found 1 values - checking if any of them match 'person::ccccccbchvth'
[pam_yubico.c:authorize_user_token_ldap(348)] LDAP : Found 2 values - checking if any of them match 'cccccccfhcbe::ccccccbchvth'
[pam_yubico.c:authorize_user_token_ldap(348)] LDAP : Found 2 values - checking if any of them match 'ccccccbchvth::ccccccbchvth'
[pam_yubico.c:authorize_user_token_ldap(355)] Token Found :: ccccccbchvth
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 6
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=urllist=http://localhost:17502/wsapi/2/verify;http://localhost:30559/wsapi/2/verify
[pam_yubico.c:parse_cfg(732)] argv[2]=ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(732)] argv[3]=ldap_filter=(uid=%u)
[pam_yubico.c:parse_cfg(732)] argv[4]=yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(732)] argv[5]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=(null)
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=ldap://localhost:52825
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(uid=%u)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=yubiKeyId
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=(null)
[pam_yubico.c:parse_cfg(752)] urllist=http://localhost:17502/wsapi/2/verify;http://localhost:30559/wsapi/2/verify
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.19
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: test
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: ccccccbchvthlivuitriujjifivbvtrjkjfirllluurj ID: ccccccbchvth
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (0): Success
[pam_yubico.c:authorize_user_token_ldap(238)] called
[pam_yubico.c:authorize_user_token_ldap(282)] try bind anonymous
[pam_yubico.c:authorize_user_token_ldap(312)] LDAP : look up object base='(null)' filter='(uid=test)', ask for attribute 'yubiKeyId'
[pam_yubico.c:authorize_user_token_ldap(319)] ldap_search_ext_s: Operations error
[pam_yubico.c:pam_sm_authenticate(1033)] Internal error while validating user
[pam_yubico.c:pam_sm_authenticate(1072)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
test 1005 failed!
killed 105910, 105911 and 105912
FAIL pam_test (exit status: 237)
could not drop privileges when using sudo
I tried the following PAM configuration with all the yubico code compiled from lastest git on Ubuntu Precise:
auth [success=1 new_authtok_reqd=ok ignore=ignore default=die] pam_yubico.so mode=challenge-response debug
When using "su" it the authentication works ok:
[pam_yubico.c:parse_cfg(753)] called.
[pam_yubico.c:parse_cfg(754)] flags 0 argc 2
[pam_yubico.c:parse_cfg(756)] argv[0]=mode=challenge-response
[pam_yubico.c:parse_cfg(756)] argv[1]=debug
[pam_yubico.c:parse_cfg(757)] id=-1
[pam_yubico.c:parse_cfg(758)] key=(null)
[pam_yubico.c:parse_cfg(759)] debug=1
[pam_yubico.c:parse_cfg(760)] alwaysok=0
[pam_yubico.c:parse_cfg(761)] verbose_otp=0
[pam_yubico.c:parse_cfg(762)] try_first_pass=0
[pam_yubico.c:parse_cfg(763)] use_first_pass=0
[pam_yubico.c:parse_cfg(764)] authfile=(null)
[pam_yubico.c:parse_cfg(765)] ldapserver=(null)
[pam_yubico.c:parse_cfg(766)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(767)] ldapdn=(null)
[pam_yubico.c:parse_cfg(768)] user_attr=(null)
[pam_yubico.c:parse_cfg(769)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(770)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(771)] url=(null)
[pam_yubico.c:parse_cfg(772)] capath=(null)
[pam_yubico.c:parse_cfg(773)] token_id_length=12
[pam_yubico.c:parse_cfg(774)] mode=chresp
[pam_yubico.c:parse_cfg(775)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(815)] get user returned: root
[pam_yubico.c:do_challenge_response(499)] Loading challenge from file /root/.yubico/challenge-2101146
[util.c:load_chalresp_state(269)] Challenge: XXX, salt: XXX, iterations: 10000, slot: 2
[pam_yubico.c:do_challenge_response(577)] Got the expected response, generating new challenge (63 bytes).
[pam_yubico.c:do_challenge_response(655)] Challenge-response success!
But when using "sudo su" I get the following error:
[pam_yubico.c:parse_cfg(753)] called.
[pam_yubico.c:parse_cfg(754)] flags 32768 argc 2
[pam_yubico.c:parse_cfg(756)] argv[0]=mode=challenge-response
[pam_yubico.c:parse_cfg(756)] argv[1]=debug
[pam_yubico.c:parse_cfg(757)] id=-1
[pam_yubico.c:parse_cfg(758)] key=(null)
[pam_yubico.c:parse_cfg(759)] debug=1
[pam_yubico.c:parse_cfg(760)] alwaysok=0
[pam_yubico.c:parse_cfg(761)] verbose_otp=0
[pam_yubico.c:parse_cfg(762)] try_first_pass=0
[pam_yubico.c:parse_cfg(763)] use_first_pass=0
[pam_yubico.c:parse_cfg(764)] authfile=(null)
[pam_yubico.c:parse_cfg(765)] ldapserver=(null)
[pam_yubico.c:parse_cfg(766)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(767)] ldapdn=(null)
[pam_yubico.c:parse_cfg(768)] user_attr=(null)
[pam_yubico.c:parse_cfg(769)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(770)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(771)] url=(null)
[pam_yubico.c:parse_cfg(772)] capath=(null)
[pam_yubico.c:parse_cfg(773)] token_id_length=12
[pam_yubico.c:parse_cfg(774)] mode=chresp
[pam_yubico.c:parse_cfg(775)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(815)] get user returned: XXX
[pam_yubico.c:do_challenge_response(499)] Loading challenge from file /home/XXX/.yubico/challenge-2101146
[util.c:load_chalresp_state(269)] Challenge: XXX, hashed response: XXX, salt: XXX, iterations: 10000, slot: 2
[pam_yubico.c:do_challenge_response(577)] Got the expected response, generating new challenge (63 bytes).
[pam_yubico.c:do_challenge_response(615)] could not drop privileges
Error communicating with Yubikey, please check syslog or contact your system administrator
[pam_yubico.c:display_error(456)] conv returned: '(null)'
[pam_yubico.c:do_challenge_response(681)] Challenge response failed: No such file or directory
I still get root privileges using this, but here [1] is a reference that states that this could be security risk.
Also unlocking gnome screensaver does not work. Are there an prerequisites for that to work, like dbus (I uninstalled some of the default packages from ubuntu)?
Multiple ldap servers
Hello,
are you planning to support multiple ldap server redundancy in order to improve reliability?
Something like
auth required pam_yubico.so mode=client try_first_pass
id=3
verbose_otp
key=dcvEzJnnTwCCKLNkNEPEnRh2Fis=
ldap_uri1=ldap://
ldapdn1=
binddn1=
bindwp1=
ldap_uri2=ldap://
ldapdn2=
binddn2=
bindwp2=
urllist=
user_attr=uid
yubi_attr=yubiKeyId
That would be very nice!
TIA,
Stefano
auth sufficient not working with sshd in OS X 10.11 (El Capitan)
I've installed pam_yubico v2.20 via Homebrew, and added:
auth sufficient pam_yubico.so id=16 authfile=/etc/yubikey_mappings
to the top of /etc/pam.d/sshd. In addition, I've set:
ChallengeResponseAuthentication yes
UsePAM yes
in /etc/ssh/sshd_config.
After reloading SSH, no authentications work at all: not public key, not OTP, not even passwords. All one ever gets when the PAM module is enabled is Connection closed by <host>. However, removing pam_yubico.so lines from the file make SSH work again in the normal way, albeit without Yubikey support.
Radiusd segfault when using new urllist option
Hi
I've got the latest pam yubico release installed, but it blows up if I try to use the urllist option. The older method using --url still works fine.
/usr/sbin/radiusd -X -f -d /etc/raddb
[pam_yubico.c:parse_cfg(764)] called.
[pam_yubico.c:parse_cfg(765)] flags 0 argc 6
[pam_yubico.c:parse_cfg(767)] argv[0]=id=2
[pam_yubico.c:parse_cfg(767)] argv[1]=urllist="https://api1.example.com/wsapi/2.0/verify;https://api2.example.com/wsapi/2.0/verify"
[pam_yubico.c:parse_cfg(767)] argv[2]=key="h2TBHUzeKcVMe94KUMPPfNPCp3w="
[pam_yubico.c:parse_cfg(767)] argv[3]=authfile=/etc/yubikey_mapping
[pam_yubico.c:parse_cfg(767)] argv[4]=capath=/etc/ssl/certs/ca-bundle.crt
[pam_yubico.c:parse_cfg(767)] argv[5]=debug
[pam_yubico.c:parse_cfg(768)] id=2
[pam_yubico.c:parse_cfg(769)] key="h2TBHUzeKcVMe94KUMPPfNPCp3w="
[pam_yubico.c:parse_cfg(770)] debug=1
[pam_yubico.c:parse_cfg(771)] alwaysok=0
[pam_yubico.c:parse_cfg(772)] verbose_otp=0
[pam_yubico.c:parse_cfg(773)] try_first_pass=0
[pam_yubico.c:parse_cfg(774)] use_first_pass=0
[pam_yubico.c:parse_cfg(775)] authfile=/etc/yubikey_mapping
[pam_yubico.c:parse_cfg(776)] ldapserver=(null)
[pam_yubico.c:parse_cfg(777)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(778)] ldapdn=(null)
[pam_yubico.c:parse_cfg(779)] user_attr=(null)
[pam_yubico.c:parse_cfg(780)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(781)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(782)] url=(null)
[pam_yubico.c:parse_cfg(783)] urllist="https://api1.example.com/wsapi/2.0/verify;https://api2.example,com/wsapi/2.0/verify"
[pam_yubico.c:parse_cfg(784)] capath=/etc/ssl/certs/ca-bundle.crt
[pam_yubico.c:parse_cfg(785)] token_id_length=12
[pam_yubico.c:parse_cfg(786)] mode=client
[pam_yubico.c:parse_cfg(787)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(829)] get user returned: afisher
[pam_yubico.c:pam_sm_authenticate(972)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(990)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(997)] OTP: ccccccbtggfjbvdcibjvuttlrdrcljrjujdrcrgglvkn ID: ccccccbtggfj
[pam_yubico.c:pam_sm_authenticate(1028)] ykclient return value (101): Could not parse server response
Segmentation fault
Any ideas?
Thanks,
Alex
Wiki page is missing
The readme file says in the section Configuration:
For more information, see the project Wiki page.
However there's no link to the wiki provided.
When searching around I found a link within the generated file
/usr/share/doc/libpam-yubico/README.Debian:
There is more documentation online in the Yubico-PAM wiki at
But this link just leads to the pam project's main page, but not to a wiki.
Ubuntu: sed error when trying to reconfigure package
Ubuntu 14.04; installed as described on the Readme, after following the instructions in /usr/share/doc/libpam-yubico/README.Debian and trying to reconfigure the package, I get:
$ sudo dpkg-reconfigure libpam-yubico
sed: -e expression #1, char 64: unknown option to `s'
No distinction between network failure and other failures
original issue: http://code.google.com/p/yubico-pam/issues/detail?id=47
In the current implementation, there is no difference between a network-based failure (unable to contact server for example) and other errors, as for example "Yubikey not authorized to login as user". All those failures return PAM_AUTHINFO_UNAVAIL.
It would be great if the network based error had a dedicated return value: the pam configuration could say 'if network error, accept', which is not possible now as it also accepts other errors.
I now that the pam return values are limited and I didn't found any good value. Do you have any solution ?
(I think that for example "Yubikey not authorized to login as user" should return PAM_USER_UNKNOWN, no ? (only one case solved))
PAM module should allow support to configure specific users to use 2FA natively
As it stands, the most common way I see people implementing YubiKey in a manner that allows them to specify which users should require a key is via a little extended syntax in PAM. Not doing so essentially forces all users to need a YubiKey. That syntax, for those interested in the quick fix (Linux PAM ONLY) is as follows:
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup [groupname]
auth required pam_yubico.so mode=challenge-response
That success=1 will tell PAM to skip the next X lines (in this case, 1) if the user is not in the specified group. However, if you're NetBSD'ish or on Mac OS X, you're using OpenPAM which does not support this extended syntax.
My solution was originally going to be to simply look in the users home directory for a .yubico directory, and just return PAM_SUCCESS and skip over everything if it didn't exist. However, it seems the most common method of assigning which accounts should use the key thus far has been to create a group and add users to it. So, I figured, why not stick to that methodology?
I'm going to use getgrouplist() to identify whether or not the user is in the group. This should work across Linux and BSD alike.
This will certainly meet the needs for my implementation... The question is, will anyone else be interested in such an addition? If so, I'll setup a pull request once I get it done (some time tonight or early tomorrow morning). If a pull request isn't desired or you aren't interested in it as being part of the module, I will simply put the modifications here in a comment for anyone else that may be interested.
segfault in 2.11 when using url=
Just so that I don't forget about it, I'll dig in later:
Program received signal SIGSEGV, Segmentation fault.
0x00007fd9a8fa33b1 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007fd9a8fa33b1 in vfprintf () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007fd9a9060d90 in __vsnprintf_chk () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007fd9a9060cd8 in __snprintf_chk () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007fd9a7ae4c08 in ykclient_request () from /usr/lib/libykclient.so.3
#4 0x00007fd9a7cedaed in pam_sm_authenticate () from /lib/security/pam_yubico.so
#5 0x00007fd9a951db45 in ?? () from /lib/x86_64-linux-gnu/libpam.so.0
#6 0x00007fd9a951d3c8 in pam_authenticate () from /lib/x86_64-linux-gnu/libpam.so.0
#7 0x00000000004028fe in ?? ()
#8 0x00007fd9a8f7976d in __libc_start_main () from /lib/x86_64-linux-gnu/libc.so.6
#9 0x00000000004035ed in ?? ()
#10 0x00007fff24f411c8 in ?? ()
#11 0x000000000000001c in ?? ()
version
ii libpam-yubico 2.11-1 two-factor password and YubiKey OTP PAM module
Ubuntu 12.04 LTS, 64 bit.
I added this to /etc/pam.d/su:
auth sufficient pam_yubico.so id=1 debug url=http://yubikey/wsapi/2.0/verify=id=%s&otp=%s
Nothing is logged on the validation server, so this is pre-network access.
stack smashing detected
Compiling the latest yubico-pam code from git (2.13-23-g96cf010) works, but if
gcc had option '-fstack-protector' programs crash when authenticating CR:
*** stack smashing detected ***: su terminated
======= Backtrace: =========
/usr/lib/libc.so.6(+0x72ecf)[0x7fa27df6eecf]
/usr/lib/libc.so.6(__fortify_fail+0x37)[0x7fa27dff1c37]
/usr/lib/libc.so.6(__fortify_fail+0x0)[0x7fa27dff1c00]
/usr/lib/security/pam_yubico.so(pam_sm_authenticate+0x10fd)[0x7fa27cb2aecd]
/usr/lib/libpam.so.0(+0x2e8f)[0x7fa27e4ade8f]
/usr/lib/libpam.so.0(pam_authenticate+0x30)[0x7fa27e4ad6e0]
su[0x403563]
/usr/lib/libc.so.6(__libc_start_main+0xf5)[0x7fa27df1dbc5]
su[0x4023a1]
Increasing char buf[] to 125 in do_challenge_response() "fixes" the problem, though this is just undefined behaviour I think. I used memset() to clear buf with null bytes, looks like nothing is written to addresses beyond 0x19 (or similar, but far away from 0x7D).
This is an Arch Linux x86_64 system with these package versions:
linux 3.11.1-1
pam 1.1.6-4
gcc-multilib 4.8.1-3
glibc 2.18-4
Double free or corruption in 2.15 when coupled with sudo
Hello,
I'm trying to use my yubikey with sudo but I received a segfault or one of these errors about 4 times out of 5. This is the backtrace that I have received as a result last. If you need any further info please ask and I'll be happy to oblige.
[vicksters@elysium ~]$ sudo su -
YubiKey for `vicksters': <KEY PRESSED AT THIS POINT>
*** Error in `sudo': double free or corruption (!prev): 0x00007fb7000008c0 ***
======= Backtrace: =========
/usr/lib/libc.so.6(+0x72ecf)[0x7fb718ae1ecf]
/usr/lib/libc.so.6(+0x7869e)[0x7fb718ae769e]
/usr/lib/libc.so.6(+0x79377)[0x7fb718ae8377]
/usr/lib/libc.so.6(fclose+0x14d)[0x7fb718ad84dd]
/usr/lib/libnss_files.so.2(_nss_files_gethostbyname4_r+0x2fb)[0x7fb71856bd6b]
/usr/lib/libc.so.6(+0xd0385)[0x7fb718b3f385]
/usr/lib/libc.so.6(getaddrinfo+0xfd)[0x7fb718b4181d]
/usr/lib/libcurl.so.4(+0x40494)[0x7fb7178c3494]
/usr/lib/libcurl.so.4(+0x499c4)[0x7fb7178cc9c4]
/usr/lib/libcurl.so.4(+0x4856b)[0x7fb7178cb56b]
/usr/lib/libpthread.so.0(+0x80a2)[0x7fb7169dd0a2]
/usr/lib/libc.so.6(clone+0x6d)[0x7fb718b5443d]
======= Memory map: ========
7fb6f4000000-7fb6f4021000 rw-p 00000000 00:00 0
7fb6f4021000-7fb6f8000000 ---p 00000000 00:00 0
7fb6fc000000-7fb6fc021000 rw-p 00000000 00:00 0
7fb6fc021000-7fb700000000 ---p 00000000 00:00 0
7fb700000000-7fb700021000 rw-p 00000000 00:00 0
7fb700021000-7fb704000000 ---p 00000000 00:00 0
7fb704000000-7fb704021000 rw-p 00000000 00:00 0
7fb704021000-7fb708000000 ---p 00000000 00:00 0
7fb70ac47000-7fb70ac48000 ---p 00000000 00:00 0
7fb70ac48000-7fb70b448000 rw-p 00000000 00:00 0 [stack:18707]
7fb70c000000-7fb70c021000 rw-p 00000000 00:00 0
7fb70c021000-7fb710000000 ---p 00000000 00:00 0
7fb71282b000-7fb712840000 r-xp 00000000 08:03 2519935 /usr/lib/libgcc_s.so.1
7fb712840000-7fb712a40000 ---p 00015000 08:03 2519935 /usr/lib/libgcc_s.so.1
7fb712a40000-7fb712a41000 rw-p 00015000 08:03 2519935 /usr/lib/libgcc_s.so.1
7fb712a41000-7fb712a42000 ---p 00000000 00:00 0
7fb712a42000-7fb713242000 rw-p 00000000 00:00 0
7fb713242000-7fb713247000 r-xp 00000000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713247000-7fb713446000 ---p 00005000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713446000-7fb713447000 r--p 00004000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713447000-7fb713448000 rw-p 00005000 08:03 2490693 /usr/lib/libnss_dns-2.18.so
7fb713448000-7fb713449000 ---p 00000000 00:00 0
7fb713449000-7fb713c49000 rw-p 00000000 00:00 0
7fb713c49000-7fb713c4a000 ---p 00000000 00:00 0
7fb713c4a000-7fb71444a000 rw-p 00000000 00:00 0
7fb71444a000-7fb71444b000 ---p 00000000 00:00 0
7fb71444b000-7fb714c4b000 rw-p 00000000 00:00 0
7fb714c4b000-7fb714c4c000 r-xp 00000000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714c4c000-7fb714e4c000 ---p 00001000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714e4c000-7fb714e4d000 r--p 00001000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714e4d000-7fb714e4e000 rw-p 00002000 08:03 2496772 /usr/lib/security/pam_nologin.so
7fb714e4e000-7fb714e57000 r-xp 00000000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb714e57000-7fb715056000 ---p 00009000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb715056000-7fb715057000 r--p 00008000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb715057000-7fb715058000 rw-p 00009000 08:03 2496665 /usr/lib/libgssglue.so.1.0.0
7fb715058000-7fb71507e000 r-xp 00000000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71507e000-7fb71527d000 ---p 00026000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71527d000-7fb71527e000 r--p 00025000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71527e000-7fb71527f000 rw-p 00026000 08:03 2496692 /usr/lib/libtirpc.so.1.0.10
7fb71527f000-7fb715280000 rw-p 00000000 00:00 0
7fb715280000-7fb715295000 r-xp 00000000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715295000-7fb715494000 ---p 00015000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715494000-7fb715495000 r--p 00014000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715495000-7fb715496000 rw-p 00015000 08:03 2490683 /usr/lib/libnsl-2.18.so
7fb715496000-7fb715498000 rw-p 00000000 00:00 0
7fb715498000-7fb7154a0000 r-xp 00000000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb7154a0000-7fb71569f000 ---p 00008000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb71569f000-7fb7156a0000 r--p 00007000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb7156a0000-7fb7156a1000 rw-p 00008000 08:03 2490705 /usr/lib/libcrypt-2.18.so
7fb7156a1000-7fb7156cf000 rw-p 00000000 00:00 0
7fb7156cf000-7fb7156da000 r-xp 00000000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7156da000-7fb7158da000 ---p 0000b000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7158da000-7fb7158db000 r--p 0000b000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7158db000-7fb7158dc000 rw-p 0000c000 08:03 2496819 /usr/lib/security/pam_unix.so
7fb7158dc000-7fb7158e8000 rw-p 00000000 00:00 0
7fb7158e8000-7fb7158ef000 r-xp 00000000 08:03 2507013 /usr/lib/librt-2.18.so
7fb7158ef000-7fb715aee000 ---p 00007000 08:03 2507013 /usr/lib/librt-2.18.so
7fb715aee000-7fb715aef000 r--p 00006000 08:03 2507013 /usr/lib/librt-2.18.so
7fb715aef000-7fb715af0000 rw-p 00007000 08:03 2507013 /usr/lib/librt-2.18.so
7fb715af0000-7fb715b00000 r-xp 00000000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715b00000-7fb715d00000 ---p 00010000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715d00000-7fb715d01000 r--p 00010000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715d01000-7fb715d02000 rw-p 00011000 08:03 2520410 /usr/lib/libudev.so.1.4.0
7fb715d02000-7fb715d1d000 r-xp 00000000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715d1d000-7fb715f1d000 ---p 0001b000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715f1d000-7fb715f1e000 r--p 0001b000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715f1e000-7fb715f1f000 rw-p 0001c000 08:03 2501567 /usr/lib/libsasl2.so.3.0.0
7fb715f1f000-7fb715f33000 r-xp 00000000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb715f33000-7fb716132000 ---p 00014000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb716132000-7fb716133000 r--p 00013000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb716133000-7fb716134000 rw-p 00014000 08:03 2497150 /usr/lib/libresolv-2.18.so
7fb716134000-7fb716136000 rw-p 00000000 00:00 0
7fb716136000-7fb716316000 r-xp 00000000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb716316000-7fb716516000 ---p 001e0000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb716516000-7fb716531000 r--p 001e0000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb716531000-7fb71653c000 rw-p 001fb000 08:03 2511857 /usr/lib/libcrypto.so.1.0.0
7fb71653c000-7fb716540000 rw-p 00000000 00:00 0
7fb716540000-7fb7165a2000 r-xp 00000000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7165a2000-7fb7167a1000 ---p 00062000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7167a1000-7fb7167a5000 r--p 00061000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7167a5000-7fb7167ac000 rw-p 00065000 08:03 2511856 /usr/lib/libssl.so.1.0.0
7fb7167ac000-7fb7167d3000 r-xp 00000000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7167d3000-7fb7169d3000 ---p 00027000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7169d3000-7fb7169d4000 r--p 00027000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7169d4000-7fb7169d5000 rw-p 00028000 08:03 2506316 /usr/lib/libssh2.so.1.0.1
7fb7169d5000-7fb7169ed000 r-xp 00000000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb7169ed000-7fb716bed000 ---p 00018000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb716bed000-7fb716bee000 r--p 00018000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb716bee000-7fb716bef000 rw-p 00019000 08:03 2490695 /usr/lib/libpthread-2.18.so
7fb716bef000-7fb716bf3000 rw-p 00000000 00:00 0
7fb716bf3000-7fb716bf5000 r-xp 00000000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716bf5000-7fb716df4000 ---p 00002000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716df4000-7fb716df5000 r--p 00001000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716df5000-7fb716df6000 rw-p 00002000 08:03 2530321 /usr/lib/libyubikey.so.0.1.4
7fb716df6000-7fb716e00000 r-xp 00000000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb716e00000-7fb716fff000 ---p 0000a000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb716fff000-7fb717000000 r--p 00009000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb717000000-7fb717001000 rw-p 0000a000 08:03 2527488 /usr/lib/libjson-c.so.2.0.1
7fb717001000-7fb717017000 r-xp 00000000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717017000-7fb717216000 ---p 00016000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717216000-7fb717217000 r--p 00015000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717217000-7fb717218000 rw-p 00016000 08:03 2519013 /usr/lib/libusb-1.0.so.0.1.0
7fb717218000-7fb717228000 r-xp 00000000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717228000-7fb717427000 ---p 00010000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717427000-7fb717428000 r--p 0000f000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717428000-7fb717429000 rw-p 00010000 08:03 2530344 /usr/lib/libykpers-1.so.1.14.1
7fb717429000-7fb717437000 r-xp 00000000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717437000-7fb717636000 ---p 0000e000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717636000-7fb717637000 r--p 0000d000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717637000-7fb717638000 rw-p 0000e000 08:03 2492888 /usr/lib/liblber-2.4.so.2.9.2
7fb717638000-7fb717680000 r-xp 00000000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717680000-7fb717880000 ---p 00048000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717880000-7fb717881000 r--p 00048000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717881000-7fb717883000 rw-p 00049000 08:03 2520519 /usr/lib/libldap-2.4.so.2.9.2
7fb717883000-7fb7178e4000 r-xp 00000000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb7178e4000-7fb717ae4000 ---p 00061000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb717ae4000-7fb717ae6000 r--p 00061000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb717ae6000-7fb717ae7000 rw-p 00063000 08:03 2501471 /usr/lib/libcurl.so.4.3.0
7fb717ae7000-7fb717aef000 r-xp 00000000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717aef000-7fb717cee000 ---p 00008000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717cee000-7fb717cef000 r--p 00007000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717cef000-7fb717cf0000 rw-p 00008000 08:03 2530331 /usr/lib/libykclient.so.3.5.2
7fb717cf0000-7fb717cf8000 r-xp 00000000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717cf8000-7fb717ef7000 ---p 00008000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717ef7000-7fb717ef8000 r--p 00007000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717ef8000-7fb717ef9000 rw-p 00008000 08:03 2530361 /usr/lib/security/pam_yubico.so
7fb717ef9000-7fb717f0e000 r-xp 00000000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb717f0e000-7fb71810d000 ---p 00015000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb71810d000-7fb71810e000 r--p 00014000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb71810e000-7fb71810f000 rw-p 00015000 08:03 2496572 /usr/lib/libz.so.1.2.8
7fb71810f000-7fb71811c000 r-xp 00000000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71811c000-7fb71831b000 ---p 0000d000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71831b000-7fb71831c000 r--p 0000c000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71831c000-7fb71831d000 rw-p 0000d000 08:03 2496762 /usr/lib/libpam.so.0.83.1
7fb71831d000-7fb718361000 r-xp 00000000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718361000-7fb718560000 ---p 00044000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718560000-7fb718561000 r--p 00043000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718561000-7fb718564000 rw-p 00044000 08:03 2508553 /usr/lib/sudo/sudoers.so
7fb718564000-7fb718567000 rw-p 00000000 00:00 0
7fb718567000-7fb718572000 r-xp 00000000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718572000-7fb718772000 ---p 0000b000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718772000-7fb718773000 r--p 0000b000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718773000-7fb718774000 rw-p 0000c000 08:03 2490687 /usr/lib/libnss_files-2.18.so
7fb718774000-7fb718a6f000 r--p 00000000 08:03 2527735 /usr/lib/locale/locale-archive
7fb718a6f000-7fb718c11000 r-xp 00000000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718c11000-7fb718e10000 ---p 001a2000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718e10000-7fb718e14000 r--p 001a1000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718e14000-7fb718e16000 rw-p 001a5000 08:03 2496691 /usr/lib/libc-2.18.so
7fb718e16000-7fb718e1a000 rw-p 00000000 00:00 0
7fb718e1a000-7fb718e1d000 r-xp 00000000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb718e1d000-7fb71901c000 ---p 00003000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb71901c000-7fb71901d000 r--p 00002000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb71901d000-7fb71901e000 rw-p 00003000 08:03 2507014 /usr/lib/libdl-2.18.so
7fb71901e000-7fb719020000 r-xp 00000000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb719020000-7fb71921f000 ---p 00002000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb71921f000-7fb719220000 r--p 00001000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb719220000-7fb719221000 rw-p 00002000 08:03 2496790 /usr/lib/libutil-2.18.so
7fb719221000-7fb719241000 r-xp 00000000 08:03 2490725 /usr/lib/ld-2.18.so
7fb719426000-7fb71942a000 rw-p 00000000 00:00 0
7fb71943e000-7fb719440000 rw-p 00000000 00:00 0
7fb719440000-7fb719441000 r--p 0001f000 08:03 2490725 /usr/lib/ld-2.18.so
7fb719441000-7fb719442000 rw-p 00020000 08:03 2490725 /usr/lib/ld-2.18.so
7fb719442000-7fb719443000 rw-p 00000000 00:00 0
7fb719443000-7fb719462000 r-xp 00000000 08:03 2508550 /usr/bin/sudo
7fb719661000-7fb719662000 r--p 0001e000 08:03 2508550 /usr/bin/sudo
7fb719662000-7fb719664000 rw-p 0001f000 08:03 2508550 /usr/bin/sudo
7fb719664000-7fb719665000 rw-p 00000000 00:00 0
7fb7199d7000-7fb719a60000 rw-p 00000000 00:00 0 [heap]
7ffffa0cc000-7ffffa0ed000 rw-p 00000000 00:00 0 [stack]
7ffffa142000-7ffffa144000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
Build: Improve dependency on asciidoc
Either make the dependency to asciidoc more prominent (document it somewhere in the README and the site) or change the Makefile to skip the step silently when a2x is missing.
The way it is now, the build fails with an error when asciidoc isn't installed and the error message "a2x is missing" isn't very helpful - Google returns some weird results when I google for "a2x".
Documentation: Add documentation to man page / README regarding SElinux
On fedora as of F20 the selinux policy works out of the box with pam yubico modules IF the following is set:
semanage boolean -m --on authlogin_yubikey
This works for both OTP and challenge response mode.
Can this be added to the man page of ykpamcfg and the readme to help users who may otherwise miss this on fedora?
radius: don't require a 'yubico' user
For some reason, when using pam_yubico under freeradius (set up as
described by our wiki page) it requires that there is a unix user of the
radius user name. We should try to understand what it is that requires
this, and remove that limitation.
configure fails on OmniOS (a distribution of Illumos)
I am trying to run the configure script on OmniOS, which is a distribution of Illumos. For those who are not aware, Illumos is a continuation of the project formerly known as OpenSolaris.
After it reaches the stage of locating libyubikey, it errors out, saying an open parenthesis is unexpected.
Here is a pastebin of the whole configure script, and the error.
I get the same error if I try to add the --without-cr flag, thinking it might have to do with me not being able to install the yubikey-personalization module.
I can bypass the error if I comment out the whole code block regarding ykpers, but I'll error out the make process, when it looks for YKPERS_CFLAGS.
I have successfully compiled and installed yubico-c and yubico-c-client.
Assistance would be appreciated. Please let me know if you need any more information.
-bash-4.2$ uname -a
SunOS ip-10-180-222-32 5.11 omnios-6de5e81 i86pc i386 i86xpv
-bash-4.2$ cat /etc/release
OmniOS v11 r151008
Copyright 2013 OmniTI Computer Consulting, Inc. All rights reserved.
Use is subject to license terms.
OS X 10.10.2 Challange Response kind of working...not
Hi,
I implemented my new Yubikey into my OS X PAM like described within https://developers.yubico.com/yubico-pam/MacOS_X_Challenge-Response.html
I entered the
auth sufficient pam_yubico.so mode=challenge-response debug
line into /etc/pam.d/sudo
That is what I get as Output when I try to sudo:
55-555-1::[20150204-160652]::mT@yg:~
$ sudo -i
Password:
debug: pam_yubico.c:764 (parse_cfg): called.
debug: pam_yubico.c:765 (parse_cfg): flags -2147483648 argc 2
debug: pam_yubico.c:767 (parse_cfg): argv[0]=mode=challenge-response
debug: pam_yubico.c:767 (parse_cfg): argv[1]=debug
debug: pam_yubico.c:768 (parse_cfg): id=-1
debug: pam_yubico.c:769 (parse_cfg): key=(null)
debug: pam_yubico.c:770 (parse_cfg): debug=1
debug: pam_yubico.c:771 (parse_cfg): alwaysok=0
debug: pam_yubico.c:772 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:773 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:774 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:775 (parse_cfg): authfile=(null)
debug: pam_yubico.c:776 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:777 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:778 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:779 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:780 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:781 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:782 (parse_cfg): url=(null)
debug: pam_yubico.c:783 (parse_cfg): urllist=(null)
debug: pam_yubico.c:784 (parse_cfg): capath=(null)
debug: pam_yubico.c:785 (parse_cfg): token_id_length=12
debug: pam_yubico.c:786 (parse_cfg): mode=chresp
debug: pam_yubico.c:787 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:829 (pam_sm_authenticate): get user returned: mT
debug: pam_yubico.c:506 (do_challenge_response): Loading challenge from file /Users/mT/.yubico/challenge-3016718
debug: util.c:270 (load_chalresp_state): Challenge: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, salt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, iterations: 10000, slot: 2
debug: pam_yubico.c:584 (do_challenge_response): Got the expected response, generating new challenge (63 bytes).
debug: pam_yubico.c:664 (do_challenge_response): Challenge-response success!
So, it give me a success at the end, but OS X seems to be really unimpressed by this and still ask me for the password -.-
Where do I go wrong? :/
I already searched for one week, but of course I do also not want to brick my box, by removing password auth from the /etc/pam.d/sudo
It also fails when I try to do the same in the file /etc/pam.d/screensaver :(
Advance Thanks
yubico_pam not available in EPEL 7
Since packages are always a lot nicer than compiling for source, I went looking for packages to enable Yubikeys in CentOS7 (and RHEL7)
it seems that the EPEL maintainers have dropped pam_yubico. Is this something you can look at, or should we go upstream?
Oracle Linux 7 - configure: error: Libyubikey v1.5+ not found,
I have installed the c client per instructions at
https://developers.yubico.com/yubico-c-client/
autoreconf
configure
make check
make install
but when I go to configure the yubico-pam I get an error that Libyubikey not found. Is there a flag I can set in the configure script to force the location?
The system recognizes a call to ykclient.
Thanks
Segfault /bin/login with pam_yubico on Ubuntu 15.04
I've tried every way I can think of to make this work, but when I attempt to add the line configured as from the example to common-auth directly after pam_unix.so it causes /bin/login to crash and I'm dropped right back to the login prompt.
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth sufficient pam_yubico.so id=[My ID] authfile=/etc/yubikey_mappings
It works fine for lightdm, and screensavers, only login has the problem.
install fails with brew on mac os x 10.11(El Captain)
When try to install with Homebrew, the make process is exit with error.
/bin/sh /private/tmp/pam_yubico20151013-26943-8e7bxz/yubico-pam-2.19/build-aux/missing a2x --format=manpage -a revdate="Version 2.19" ykpamcfg.1.txt
a2x: ERROR: "xmllint" --nonet --noout --valid "/private/tmp/pam_yubico20151013-26943-8e7bxz/yubico-pam-2.19/ykpamcfg.1.xml" returned non-zero exit status 4
make[1]: *** [ykpamcfg.1] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [install-recursive] Error 1
Is "util.h" meant to be installed to a shared include directory?
The util.h include file has a very generic name, which conflicts with other software in the wild. Does a functional installation of this software require that this include be installed to, say, /usr/include or /usr/local/include, or is the .so the only thing required for installation?
challenge/response broken
Commit 057c374 (fixup a memory leak) breakes challenge/response. Debug output gives:
could not drop privileges
Yubico Authorization Plugin for OS X
Do you have any plans to build an Authorization Plugin for OS X?
This would allow a for a richer UI experience.
https://developer.apple.com/library/mac/documentation/Security/Reference/AuthorizationPluginRef/index.html
https://developer.apple.com/library/mac/technotes/tn2228/_index.html
verbose_otp doesn't work with ssh
original issue: http://code.google.com/p/yubico-pam/issues/detail?id=51
What steps will reproduce the problem?
- add verbose_otp as option to pam_yubico.so in the pam sshd config file.
- try to authenticate via ssh
What is the expected output?
OK, you are logged
What do you see instead?
Not logged.
In the debug ouptut of pam_yubico.so :
[pam_yubico.c:parse_cfg(769)] mode=client
[pam_yubico.c:parse_cfg(770)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(810)] get user returned: max
[pam_yubico.c:pam_sm_authenticate(906)] conv returned error: Conversation error
[pam_yubico.c:pam_sm_authenticate(1013)] done. [Conversation error]
What version of the product are you using?
2.13
On what operating system?
Gentoo
Additional information :
I don't know if it's a bug in pam_yubico or sshd can't display "custom fields".
If sshd just can't display "custom fields" I think it should be indicated in the README file.
Possible incompatibility with the NEO's smartcard functionality on Debian Jessie
I have a Yubikey NEO configured for challenge-response in the first slot, that I also use as a smartcard with GnuPG.
When using yubico-pam in challenge-response mode on Debian Jessie, GnuPG seemingly cannot access the smartcard on the Yubikey (gpg --card-status shows the card with empty key slots, and then cannot find it). The problem went away after disabling yubico-pam.
If you need more information, I would be happy to provide it.
Add possibility to exclude a user
original issues:
http://code.google.com/p/yubico-pam/issues/detail?id=34
http://code.google.com/p/yubico-pam/issues/detail?id=50
It's not possible to exclude/opt-out from pam_yubico
drop_privs interface
(original discussion: http://code.google.com/p/yubico-pam/issues/detail?id=49)
We seem to be using the pam_modutil_drop_priv interface in a way it wasn't meant to be used. Should our code be refactored to call that interface directly from pam_yubico.c and have our own functions implementing that for backwards compability?
capath does not work when linked with gnutls, enable cainfo from yubico-c-client
Following up from Yubico/yubico-c-client#24, I realised -a bit late- that to use that new feature in PAM I'd need a way to enable it in the pam config. Here's a patch to do just that:
# diff -u pam_yubico.c.old pam_yubico.c
--- pam_yubico.c.old 2015-05-21 14:18:11.906745702 +0200
+++ pam_yubico.c 2015-05-21 14:32:52.326746246 +0200
@@ -109,6 +109,7 @@
int use_first_pass;
const char *auth_file;
const char *capath;
+ const char *cainfo;
const char *url;
const char *urllist;
const char *ldapserver;
@@ -690,6 +691,8 @@
cfg->auth_file = argv[i] + 9;
if (strncmp (argv[i], "capath=", 7) == 0)
cfg->capath = argv[i] + 7;
+ if (strncmp (argv[i], "cainfo=", 7) == 0)
+ cfg->cainfo = argv[i] + 7;
if (strncmp (argv[i], "url=", 4) == 0)
cfg->url = argv[i] + 4;
if (strncmp (argv[i], "urllist=", 8) == 0)
@@ -751,6 +754,7 @@
D (("url=%s", cfg->url ? cfg->url : "(null)"));
D (("urllist=%s", cfg->urllist ? cfg->urllist : "(null)"));
D (("capath=%s", cfg->capath ? cfg->capath : "(null)"));
+ D (("cainfo=%s", cfg->cainfo ? cfg->cainfo : "(null)"));
D (("token_id_length=%d", cfg->token_id_length));
D (("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" ));
D (("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)"));
@@ -859,6 +863,9 @@
if (cfg->capath)
ykclient_set_ca_path (ykc, cfg->capath);
+ if (cfg->cainfo)
+ ykclient_set_ca_info (ykc, cfg->cainfo);
+
if (cfg->url)
{
rc = ykclient_set_url_template (ykc, cfg->url);
With this patch, I can use my own CA, otherwise I run into the same problem as I mentioned in Yubico/yubico-c-client#24.
Use as you please.
Allow gathering token ids from multiple sources (authfile,LDAP,etc.)
I'd like to attempt a patch to allow for using more than one source for token ids so that things don't go bad if LDAP goes unavailable.
I'm still mulling over methodologies and the current logic and hope to post a couple of brief ideas in the next couple of days to make sure I'm not heading down a path that wouldn't be likely to get merged in.
So this issue is for tracking that...
Thank you,
Mark
LDAP documentation
Provide an example LDAP schema and a pointer to this effort:
LDAP binddn, bindpw support
i do not like the idea of anonymous users getting list of my users and theirs keys.
it is needed to add support for authenticated ldap, like here:
https://jeroenvda.eu/2013/01/07/yubico-pam-with-ldap-binddn-and-bindpw-support/
Unable to access PPA
W: Failed to fetch http://ppa.launchpad.net/yubico/stable/ubuntu/dists/jessie/main/binary-amd64/Packages 404 Not Found
me@server:~/yubico-pam$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 8.2 (jessie)
Release: 8.2
Codename: jessie
ykpamcfg: Failed to read serial number (serial-api-visible disabled?)
Trying to set up challenge-response authentification I get this error:
ykpamcfg -2 -v
Firmware version 3.1.2
[../util.c:get_user_challenge_file(208)] Failed to read serial number (serial-api-visible disabled?).
Sending 63 bytes HMAC challenge to slot 2
Sending 63 bytes HMAC challenge to slot 2
Stored initial challenge and expected response in '/root/.yubico/challenge'.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.