Hi List,
I am trying to get authentication to Dovecot with a Yubikey OTP.
I have the PAM modules installed and can successfully authenticate to ssh with the Yubikey, so I am confident that the network level and Yubikey configuration is correct. I can also authenticate to Dovecot via PAM using a plain password, however when I try to use the Yubikey authentication with Dovecot things don't go well. Network monitoring reveals that the software does not even attempt to connect to the authentication servers.
My Dovecot authentication is configured as follows :-
passdb { driver = pam args = failure_show_msg=yes dovecot
override_fields = proxy host=1.2.3.4 master=XXXXXX pass=XXXXXX }
userdb { driver = passwd-file args = username_format=%u /etc/dovecot/users }
The dovecot Pam config file is :-
auth sufficient pam_yubico.so id=99999 key="xxxxxxxxxxx" authfile=/etc/yubikey_mappings debug @include common-auth @include common-account @include common-session
When failing to authenticate with Dovecot, the PAM debug log shows :-
[../pam_yubico.c:parse_cfg(761)] called. [../pam_yubico.c:parse_cfg(762)] flags 0 argc 4 [../pam_yubico.c:parse_cfg(764)] argv[0]=id=xxxxxx [../pam_yubico.c:parse_cfg(764)] argv[1]=key="xxxxxx" [../pam_yubico.c:parse_cfg(764)] argv[2]=authfile=/etc/yubikey_mappings [../pam_yubico.c:parse_cfg(764)] argv[3]=debug [../pam_yubico.c:parse_cfg(765)] id=xxxxxx [../pam_yubico.c:parse_cfg(766)] key="xxxxxxxxx" [../pam_yubico.c:parse_cfg(767)] debug=1 [../pam_yubico.c:parse_cfg(768)] alwaysok=0 [../pam_yubico.c:parse_cfg(769)] verbose_otp=0 [../pam_yubico.c:parse_cfg(770)] try_first_pass=0 [../pam_yubico.c:parse_cfg(771)] use_first_pass=0 [../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings [../pam_yubico.c:parse_cfg(773)] ldapserver=(null) [../pam_yubico.c:parse_cfg(774)] ldap_uri=(null) [../pam_yubico.c:parse_cfg(775)] ldapdn=(null) [../pam_yubico.c:parse_cfg(776)] user_attr=(null) [../pam_yubico.c:parse_cfg(777)] yubi_attr=(null) [../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null) [../pam_yubico.c:parse_cfg(779)] url=(null) [../pam_yubico.c:parse_cfg(780)] capath=(null) [../pam_yubico.c:parse_cfg(781)] token_id_length=12 [../pam_yubico.c:parse_cfg(782)] mode=client [../pam_yubico.c:parse_cfg(783)] chalresp_path=(null) [../pam_yubico.c:pam_sm_authenticate(823)] get user returned: jack [../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes [../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32. [../pam_yubico.c:pam_sm_authenticate(954)] OTP: ccccccbcitfdueencldivbcjvghvikdtrnujbgubirru ID: ccccccbcitfd [../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (101): Could not parse server response [../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication service cannot retrieve authentication info]
A successful authentication (via ssh) looks like
[../pam_yubico.c:parse_cfg(761)] called. [../pam_yubico.c:parse_cfg(762)] flags 1 argc 4 [../pam_yubico.c:parse_cfg(764)] argv[0]=id=xxxx [../pam_yubico.c:parse_cfg(764)] argv[1]=key="xxxxxxxxxxxxxxxxxx" [../pam_yubico.c:parse_cfg(764)] argv[2]=authfile=/etc/yubikey_mappings [../pam_yubico.c:parse_cfg(764)] argv[3]=debug [../pam_yubico.c:parse_cfg(765)] id=xxxxxx [../pam_yubico.c:parse_cfg(766)] key="xxxxxxxxxxxxxxxxxxx" [../pam_yubico.c:parse_cfg(767)] debug=1 [../pam_yubico.c:parse_cfg(768)] alwaysok=0 [../pam_yubico.c:parse_cfg(769)] verbose_otp=0 [../pam_yubico.c:parse_cfg(770)] try_first_pass=0 [../pam_yubico.c:parse_cfg(771)] use_first_pass=0 [../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings [../pam_yubico.c:parse_cfg(773)] ldapserver=(null) [../pam_yubico.c:parse_cfg(774)] ldap_uri=(null) [../pam_yubico.c:parse_cfg(775)] ldapdn=(null) [../pam_yubico.c:parse_cfg(776)] user_attr=(null) [../pam_yubico.c:parse_cfg(777)] yubi_attr=(null) [../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null) [../pam_yubico.c:parse_cfg(779)] url=(null) [../pam_yubico.c:parse_cfg(780)] capath=(null) [../pam_yubico.c:parse_cfg(781)] token_id_length=12 [../pam_yubico.c:parse_cfg(782)] mode=client [../pam_yubico.c:parse_cfg(783)] chalresp_path=(null) [../pam_yubico.c:pam_sm_authenticate(823)] get user returned: jack [../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes [../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32. [../pam_yubico.c:pam_sm_authenticate(954)] OTP: ccccccbcitfdetdfkbjrtfbuhgbtjgethkdebcgthgde ID: ccccccbcitfd [../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (0): Success [../pam_yubico.c:authorize_user_token(221)] Using system-wide auth_file /etc/yubikey_mappings [../pam_yubico.c:check_user_token(178)] Authorization line: jack:ccccccbcitfd [../pam_yubico.c:check_user_token(182)] Matched user: jack [../pam_yubico.c:check_user_token(187)] Authorization token: ccccccbcitfd [../pam_yubico.c:check_user_token(190)] Match user/token as jack/ccccccbcitfd [../pam_yubico.c:pam_sm_authenticate(1038)] done. [Success]
I have just noticed that the 'flags' is set to 1 by ssh. I don't know where (or if) I can control how Dovecot sets that flag or if it has any relevance. The Pam configuration line for Yubikey is identical in the ssh configuration.
Does anyone have any idea what is going wrong?
Thanks in advance,
Jack