-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssh authentication hangs #190
Comments
So I tried without the Ldap proxy in the middle and it still fails. Is there any way to get more detailed output from the debug file? How can I see what if the module is processing or not the token received from the LDAP server? |
I have used strace and was able to see that yubico_pam was trying to connect to https://api4.yubico.com/wsapi/2.0/verify?id=17&nonce=hcahqomivxyuwhiusfcrjrothtabguko&otp=xxxxxxxxxxxxxxxxx×tamp=1 After adding a proxy it was able to connect and now it returns:
Now I'm able to press the yubikey on the first password prompt, it validates the otp and then it prompts for the LDAP password and I'm able to login. However after pressing the yubikey it outputs access denied in the console. Is there a way of not showing the access denied? Also, is it really necessary to allow the communication to the API server on the internet? Thanks in advance. |
Hey, Glad you solved the immediate problem, sorry I didn't manage to give you any pointers in time. For OTP validation if you want to use the YubiCloud, hosted by Yubico you need to allow it to access those machines (api.yubico.com, api2.yubico.com, api3.yubico.com, api4.yubico.com and api5.yubico.com). If you want to you can setup your own validation service (using the project yubikey-val and python-pyhsm) and use the urllist parameter to point at addresses of your choosing. "access denied" is never output by the module itself so it must come from somewhere else, what does the rest of your pam stack look like? |
Hello Klali, thanks for replying. Here's my common-auth:
If I remove the yubico-pam module everything works. |
I guess my problem was not reading the documentation correctly on this last issue.
My final common-auth configuration:
I plan to use ssh keys for the linux local users and yubikey for the ldap users. Is there a way of using the yubikey for the local users as well and maintaining the ldap yubico pam entry? Maybe adding a new entry with a local validation file? Thanks. |
Hello, I'm trying to enable yubico-pam on linux machines using an openldap proxy and AD as the LDAP database. It seems that the authentication simply hangs when I try to authenticate with the yubikey.
It doesn't log anything else and the ssh session time just disconnects.
I'm able to login without the entry /etc/pam.d/sshd
auth required pam_yubico.so mode=client id=17 ldap_uri=ldaps://openldap.example.com:636 [ldap_bind_user=cn=openldap,cn=users,dc=example,dc=com] ldap_bind_password=xxxxxx ldap_cacertfile=/etc/ssl/certs/cacert.pem [ldapdn=cn=Users,DC=example,DC=com] user_attr=cn yubi_attr=YUBIKEYID debug debug_file=/var/run/pam-debug.log
I'm using nslcd as the ldap client authentication.
The Domain Controller logs the ldap query as well:
I have used the LDAP schema from the GITHUB project bellow:
https://github.com/mludvig/yubikey-ldap
Is this a newbie configuration issue or something else?
The text was updated successfully, but these errors were encountered: