-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use pam_yubico with SSH keypairs #193
Comments
Here is what I did on Centos 8
Disable
Enable ChallengeResponseAuthentication Add |
First of all: Thanks @zypA13510 for your short tutorial. This helped me setting up MFA with SSH keypairs on my Ubuntu 20.04.4 LTS VM. To make MFA optional, I added
If a user has the file Unfortunately, this mechanism does not work anymore on Ubuntu 22.04.1 LTS. After providing the SSH key for an account without pam-debug.log on Ubuntu 22.04.1 LTSdebug: ../pam_yubico.c:838 (parse_cfg): called. debug: ../pam_yubico.c:839 (parse_cfg): flags 1 argc 5 debug: ../pam_yubico.c:841 (parse_cfg): argv[0]=id=[ID] debug: ../pam_yubico.c:841 (parse_cfg): argv[1]=key=[KEY] debug: ../pam_yubico.c:841 (parse_cfg): argv[2]=nullok debug: ../pam_yubico.c:841 (parse_cfg): argv[3]=debug debug: ../pam_yubico.c:841 (parse_cfg): argv[4]=debug_file=/var/run/pam-debug.log debug: ../pam_yubico.c:842 (parse_cfg): id=[ID] debug: ../pam_yubico.c:843 (parse_cfg): key=[KEY] debug: ../pam_yubico.c:844 (parse_cfg): debug=1 debug: ../pam_yubico.c:845 (parse_cfg): debug_file=5 debug: ../pam_yubico.c:846 (parse_cfg): alwaysok=0 debug: ../pam_yubico.c:847 (parse_cfg): verbose_otp=0 debug: ../pam_yubico.c:848 (parse_cfg): try_first_pass=0 debug: ../pam_yubico.c:849 (parse_cfg): use_first_pass=0 debug: ../pam_yubico.c:850 (parse_cfg): nullok=1 debug: ../pam_yubico.c:851 (parse_cfg): authfile=(null) debug: ../pam_yubico.c:852 (parse_cfg): ldapserver=(null) debug: ../pam_yubico.c:853 (parse_cfg): ldap_uri=(null) debug: ../pam_yubico.c:854 (parse_cfg): ldap_bind_user=(null) debug: ../pam_yubico.c:855 (parse_cfg): ldap_bind_password=(null) debug: ../pam_yubico.c:856 (parse_cfg): ldap_filter=(null) debug: ../pam_yubico.c:857 (parse_cfg): ldap_cacertfile=(null) debug: ../pam_yubico.c:858 (parse_cfg): ldapdn=(null) debug: ../pam_yubico.c:859 (parse_cfg): user_attr=(null) debug: ../pam_yubico.c:860 (parse_cfg): yubi_attr=(null) debug: ../pam_yubico.c:861 (parse_cfg): yubi_attr_prefix=(null) debug: ../pam_yubico.c:862 (parse_cfg): url=(null) debug: ../pam_yubico.c:863 (parse_cfg): urllist=(null) debug: ../pam_yubico.c:864 (parse_cfg): capath=(null) debug: ../pam_yubico.c:865 (parse_cfg): cainfo=(null) debug: ../pam_yubico.c:866 (parse_cfg): proxy=(null) debug: ../pam_yubico.c:867 (parse_cfg): token_id_length=12 debug: ../pam_yubico.c:868 (parse_cfg): mode=client debug: ../pam_yubico.c:869 (parse_cfg): chalresp_path=(null) debug: ../pam_yubico.c:899 (pam_sm_authenticate): pam_yubico version: 2.26 debug: ../pam_yubico.c:914 (pam_sm_authenticate): get user returned: root debug: ../pam_yubico.c:187 (authorize_user_token): Dropping privileges debug: ../util.c:115 (check_user_token): Cannot open file: /root/.yubico/authorized_yubikeys (No such file or directory) debug: ../pam_yubico.c:1029 (pam_sm_authenticate): Internal error while looking for user tokens debug: ../pam_yubico.c:1220 (pam_sm_authenticate): done. [Authentication service cannot retrieve authentication info] Just for comparison, the log file from my Ubuntu 20.04.4 LTS using the same scenario: pam-debug.log on Ubuntu 20.04.4 LTSdebug: pam_yubico.c:933 (parse_cfg): called. debug: pam_yubico.c:934 (parse_cfg): flags 1 argc 5 debug: pam_yubico.c:936 (parse_cfg): argv[0]=id=[ID] debug: pam_yubico.c:936 (parse_cfg): argv[1]=key=[KEY] debug: pam_yubico.c:936 (parse_cfg): argv[2]=nullok debug: pam_yubico.c:936 (parse_cfg): argv[3]=debug debug: pam_yubico.c:936 (parse_cfg): argv[4]=debug_file=/var/run/pam-debug.log debug: pam_yubico.c:937 (parse_cfg): id=[ID] debug: pam_yubico.c:938 (parse_cfg): key=[KEY] debug: pam_yubico.c:939 (parse_cfg): debug=1 debug: pam_yubico.c:940 (parse_cfg): debug_file=5 debug: pam_yubico.c:941 (parse_cfg): alwaysok=0 debug: pam_yubico.c:942 (parse_cfg): verbose_otp=0 debug: pam_yubico.c:943 (parse_cfg): try_first_pass=0 debug: pam_yubico.c:944 (parse_cfg): use_first_pass=0 debug: pam_yubico.c:945 (parse_cfg): always_prompt=0 debug: pam_yubico.c:946 (parse_cfg): nullok=1 debug: pam_yubico.c:947 (parse_cfg): ldap_starttls=0 debug: pam_yubico.c:948 (parse_cfg): ldap_bind_as_user=0 debug: pam_yubico.c:949 (parse_cfg): authfile=(null) debug: pam_yubico.c:950 (parse_cfg): ldapserver=(null) debug: pam_yubico.c:951 (parse_cfg): ldap_uri=(null) debug: pam_yubico.c:952 (parse_cfg): ldap_bind_user=(null) debug: pam_yubico.c:953 (parse_cfg): ldap_bind_password=(null) debug: pam_yubico.c:954 (parse_cfg): ldap_filter=(null) debug: pam_yubico.c:955 (parse_cfg): ldap_cacertfile=(null) debug: pam_yubico.c:956 (parse_cfg): ldapdn=(null) debug: pam_yubico.c:957 (parse_cfg): ldap_clientcertfile=(null) debug: pam_yubico.c:958 (parse_cfg): ldap_clientkeyfile=(null) debug: pam_yubico.c:959 (parse_cfg): user_attr=(null) debug: pam_yubico.c:960 (parse_cfg): yubi_attr=(null) debug: pam_yubico.c:961 (parse_cfg): yubi_attr_prefix=(null) debug: pam_yubico.c:962 (parse_cfg): url=(null) debug: pam_yubico.c:963 (parse_cfg): urllist=(null) debug: pam_yubico.c:964 (parse_cfg): capath=(null) debug: pam_yubico.c:965 (parse_cfg): cainfo=(null) debug: pam_yubico.c:966 (parse_cfg): proxy=(null) debug: pam_yubico.c:967 (parse_cfg): token_id_length=12 debug: pam_yubico.c:968 (parse_cfg): mode=client debug: pam_yubico.c:969 (parse_cfg): chalresp_path=(null) debug: pam_yubico.c:970 (parse_cfg): mysql_server=(null) debug: pam_yubico.c:971 (parse_cfg): mysql_port=0 debug: pam_yubico.c:972 (parse_cfg): mysql_user=(null) debug: pam_yubico.c:973 (parse_cfg): mysql_database=(null) debug: pam_yubico.c:1009 (pam_sm_authenticate): pam_yubico version: 2.27 debug: pam_yubico.c:1024 (pam_sm_authenticate): get user returned: root debug: pam_yubico.c:221 (authorize_user_token): Dropping privileges debug: pam_yubico.c:1149 (pam_sm_authenticate): No tokens found for user debug: pam_yubico.c:1337 (pam_sm_authenticate): done. [The return value should be ignored by PAM dispatch] It seems to me, that the Note: Whats bothering me the most is that the older Ubuntu 20.04.4 LTS release gets the 2.27 version of EDIT: My simple (but hopefully temporary) workaround is to setup empty |
Well, it seems that I stumbled upon an old issue with version 2.26.; see #194 and f300115. I think the real issue is, that the PPA does not provide the current version 2.27 for Ubuntu 22.04... |
After struggling for quite some time despite following the doc and various sources on the Internet, I have finally discovered the way to configure pam_yubico as the 2nd factor along with SSH keys for authentication.
The culprit is that sshd skips PAM auth altogether when publickey authentication is used and accepted. The solution comes from this post, in
/etc/ssh/sshd_config
, you need to enableChallengeResponseAuthentication
and also explicitly specifyAuthenticationMethods publickey,keyboard-interactive
. The final result looks like this:Also,
common-auth
stack (aka.password-auth
/system-auth
) needs to be commented out in/etc/pam.d/sshd
unless publickey+yubikey+password is desired.I believe this information may be helpful for future users and it could be integrated into YubiKey and SSH via PAM.
The text was updated successfully, but these errors were encountered: