Comments (6)
klali
commented on May 29, 2024
Would you mind submitting this as a pull request to make merging (and attribution) easier?
/klas
from yubico-pam.
Mrten
commented on May 29, 2024
That's a hurdle for me, I don't know git :)
from yubico-pam.
klali
commented on May 29, 2024
commited as 9a132bc
unfortunately referenced the wrong issue..
from yubico-pam.
Mrten
commented on May 29, 2024
Thanks!
from yubico-pam.
lawrencejones
commented on May 29, 2024
@Mrten did you find this fixed your problem? We're having similar issues where a ykclient linked against gnutls curl is unable to validate our certificate, and using cainfo=/etc/ssl/certs/ca-certificates.crt isn't doing anything to help.
Did you happen to figure out what was actually happening to cause this problem? It's very frustrating for us, and we're having to a reverse proxy locally to sidestep the SSL issue.
from yubico-pam.
Mrten
commented on May 29, 2024
Yes, it did fix my problem. As part of my debugging -two years ago already!- I asked that curl_verbose was enabled when you set a 'debug' flag on pam_yubico which yubico graciously agreed to, have you tried that already? Should be logging in syslog.
This is the first part of my current /etc/pam.d/su:
# This allows root to su without passwords (normal operation)
auth sufficient pam_rootok.so
# skip yubikey als we naar niet-root su doen
auth [default=4 success=ignore] pam_succeed_if.so uid eq 0
auth optional pam_echo.so file=/etc/yubikey.login
# en daarna yubikey, voor capath heb je libcurl-gelinkt-met-openssl nodig!!
auth [default=1 success=ignore] pam_yubico.so id=1 key=[base64 key] urllist=https://[local yubikey host]/wsapi/2.0/verify authfile=[map] cainfo=[absolute-path-to-certificate]
# vraag om pin, use_uid moet maar is eigen uitbreiding
auth [success=3 default=ignore] pam_userdb.so db=/etc/yubikey.pin crypt=crypt use_first_pass use_uid
auth optional pam_echo.so file=/etc/yubikey.failed.login
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# na permit gaat niks meer door dus als er extra eisen zijn aan su dan moeten die boven deze regels
# kijk uit met invoegen, default=XX en success=XX betekenen "jumps"
The certificate is a single certificate for the wsapi webserver in PEM format, the mapfile lists all yubikeys that are allowed to su to root.
This PAM file asks for a PIN + yubikey first, if that fails it asks for the normal root password. The PIN is to make a lost yubikey less dramatic.
I'm on Ubuntu 14.04, which links pam_yubico with gnutls:
root@somewhere:/ ldd /lib/security/pam_yubico.so
libyubikey.so.0 => /usr/lib/libyubikey.so.0 (0x00007f0d6cd73000)
libykpers-1.so.1 => /usr/lib/libykpers-1.so.1 (0x00007f0d6cb61000)
libcurl-gnutls.so.4 => /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4 (0x00007f0d6c328000)
...
You should really try the debug flag to see if this is the problem because I can't seem to find that gnutls is still having this problem on haxx.se.
from yubico-pam.
Related Issues (20)
- Error performing curl for OTP validation w/ Yubico Cloud HOT 13
- Can I use NFC? HOT 2
- fnbl
- Abnormal time delay on pam_yubico on CentOS 7 HOT 2
- Add mysql support fort the yubikey_mapping HOT 1
- RFC4515 not implemented HOT 4
- Problem parsing OTP??
- Inconsistent quotes around username
- OpenVPN + LDAP + Yubico HOT 4
- Mysql close connection after return HOT 1
- [question] yubikey bio series support HOT 3
- RFE: Support domain equivalence HOT 1
- Auth timeouts after key press
- Pam configuration to login with yubikey, but only if present HOT 1
- Multiple keys per user HOT 2
- `libykclient` repository is archived
- ykpamcfg uses bare minimum (weak?) PBKDF2 iteration count
- Yubikey fails to unlock cinnamon screensaver -fix
- Version 2.27 for Ubuntu 22.04 (Jammy)
- ykpersonalize nowhere to be found
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yubico-pam.