PAM and YubiKeys

29 Jul 2014


      Hi List,
I am trying to get authentication to Dovecot with a Yubikey OTP.
I have the PAM modules installed and can successfully authenticate to
ssh with the Yubikey, so I am confident that the network level and
Yubikey configuration is correct. I can also authenticate to Dovecot via
PAM using a plain password, however when I try to use the Yubikey
authentication with Dovecot things don't go well. Network monitoring
reveals that the software does not even attempt to connect to the
authentication servers.
My Dovecot authentication is configured as follows :-
passdb {
driver = pam
args = failure_show_msg=yes dovecot
override_fields = proxy host=1.2.3.4 master=XXXXXX pass=XXXXXX
}
userdb {
driver = passwd-file
args = username_format=%u /etc/dovecot/users
}
The dovecot Pam config file is :-
auth sufficient pam_yubico.so id=99999 key="xxxxxxxxxxx"
authfile=/etc/yubikey_mappings debug
@include common-auth
@include common-account
@include common-session
When failing to authenticate with Dovecot, the PAM debug log shows :-
[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 0 argc 4
[../pam_yubico.c:parse_cfg(764)] argv[0]=id=xxxxxx
[../pam_yubico.c:parse_cfg(764)] argv[1]=key="xxxxxx"
[../pam_yubico.c:parse_cfg(764)] argv[2]=authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(764)] argv[3]=debug
[../pam_yubico.c:parse_cfg(765)] id=xxxxxx
[../pam_yubico.c:parse_cfg(766)] key="xxxxxxxxx"
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=0
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(775)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(776)] user_attr=(null)
[../pam_yubico.c:parse_cfg(777)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=client
[../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: jack
[../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes
[../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes.
Length is 44, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(954)] OTP:
ccccccbcitfdueencldivbcjvghvikdtrnujbgubirru ID: ccccccbcitfd
[../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (101):
Could not parse server response
[../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication
service cannot retrieve authentication info]
A successful authentication (via ssh) looks like
[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 1 argc 4
[../pam_yubico.c:parse_cfg(764)] argv[0]=id=xxxx
[../pam_yubico.c:parse_cfg(764)] argv[1]=key="xxxxxxxxxxxxxxxxxx"
[../pam_yubico.c:parse_cfg(764)] argv[2]=authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(764)] argv[3]=debug
[../pam_yubico.c:parse_cfg(765)] id=xxxxxx
[../pam_yubico.c:parse_cfg(766)] key="xxxxxxxxxxxxxxxxxxx"
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=0
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(775)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(776)] user_attr=(null)
[../pam_yubico.c:parse_cfg(777)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=client
[../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: jack
[../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes
[../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes.
Length is 44, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(954)] OTP:
ccccccbcitfdetdfkbjrtfbuhgbtjgethkdebcgthgde ID: ccccccbcitfd
[../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (0):
Success
[../pam_yubico.c:authorize_user_token(221)] Using system-wide auth_file
/etc/yubikey_mappings
[../pam_yubico.c:check_user_token(178)] Authorization line:
jack:ccccccbcitfd
[../pam_yubico.c:check_user_token(182)] Matched user: jack
[../pam_yubico.c:check_user_token(187)] Authorization token:
ccccccbcitfd
[../pam_yubico.c:check_user_token(190)] Match user/token as
jack/ccccccbcitfd
[../pam_yubico.c:pam_sm_authenticate(1038)] done. [Success]
I have just noticed that the 'flags' is set to 1 by ssh. I don't know
where (or if) I can control how Dovecot sets that flag or if it has any
relevance.
The Pam configuration line for Yubikey is identical in the ssh
configuration.
Does anyone have any idea what is going wrong?
Thanks in advance,
Jack