PAM and YubiKeys

Jack list-dovecot at jack.org.uk
Tue Jul 29 15:43:34 UTC 2014 

Hi List,

I am trying to get authentication to Dovecot with a Yubikey OTP.

I have the PAM modules installed and can successfully authenticate to 
ssh with the Yubikey, so I am confident that the network level and 
Yubikey configuration is correct. I can also authenticate to Dovecot via 
PAM using a plain password, however when I try to use the Yubikey 
authentication with Dovecot things don't go well. Network monitoring 
reveals that the software does not even attempt to connect to the 
authentication servers.

My Dovecot authentication is configured as follows :-

passdb {
   driver = pam
   args = failure_show_msg=yes dovecot

   override_fields = proxy host=1.2.3.4 master=XXXXXX pass=XXXXXX
}

userdb {
   driver = passwd-file
   args = username_format=%u /etc/dovecot/users
}

The dovecot Pam config file is :-

auth sufficient pam_yubico.so id=99999 key="xxxxxxxxxxx" 
authfile=/etc/yubikey_mappings debug
@include common-auth
@include common-account
@include common-session

When failing to authenticate with Dovecot, the PAM debug log shows :-

[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 0 argc 4
[../pam_yubico.c:parse_cfg(764)] argv[0]=id=xxxxxx
[../pam_yubico.c:parse_cfg(764)] argv[1]=key="xxxxxx"
[../pam_yubico.c:parse_cfg(764)] argv[2]=authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(764)] argv[3]=debug
[../pam_yubico.c:parse_cfg(765)] id=xxxxxx
[../pam_yubico.c:parse_cfg(766)] key="xxxxxxxxx"
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=0
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(775)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(776)] user_attr=(null)
[../pam_yubico.c:parse_cfg(777)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=client
[../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: jack
[../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes
[../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes. 
Length is 44, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(954)] OTP: 
ccccccbcitfdueencldivbcjvghvikdtrnujbgubirru ID: ccccccbcitfd
[../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (101): 
Could not parse server response
[../pam_yubico.c:pam_sm_authenticate(1038)] done. [Authentication 
service cannot retrieve authentication info]

A successful authentication (via ssh) looks like

[../pam_yubico.c:parse_cfg(761)] called.
[../pam_yubico.c:parse_cfg(762)] flags 1 argc 4
[../pam_yubico.c:parse_cfg(764)] argv[0]=id=xxxx
[../pam_yubico.c:parse_cfg(764)] argv[1]=key="xxxxxxxxxxxxxxxxxx"
[../pam_yubico.c:parse_cfg(764)] argv[2]=authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(764)] argv[3]=debug
[../pam_yubico.c:parse_cfg(765)] id=xxxxxx
[../pam_yubico.c:parse_cfg(766)] key="xxxxxxxxxxxxxxxxxxx"
[../pam_yubico.c:parse_cfg(767)] debug=1
[../pam_yubico.c:parse_cfg(768)] alwaysok=0
[../pam_yubico.c:parse_cfg(769)] verbose_otp=0
[../pam_yubico.c:parse_cfg(770)] try_first_pass=0
[../pam_yubico.c:parse_cfg(771)] use_first_pass=0
[../pam_yubico.c:parse_cfg(772)] authfile=/etc/yubikey_mappings
[../pam_yubico.c:parse_cfg(773)] ldapserver=(null)
[../pam_yubico.c:parse_cfg(774)] ldap_uri=(null)
[../pam_yubico.c:parse_cfg(775)] ldapdn=(null)
[../pam_yubico.c:parse_cfg(776)] user_attr=(null)
[../pam_yubico.c:parse_cfg(777)] yubi_attr=(null)
[../pam_yubico.c:parse_cfg(778)] yubi_attr_prefix=(null)
[../pam_yubico.c:parse_cfg(779)] url=(null)
[../pam_yubico.c:parse_cfg(780)] capath=(null)
[../pam_yubico.c:parse_cfg(781)] token_id_length=12
[../pam_yubico.c:parse_cfg(782)] mode=client
[../pam_yubico.c:parse_cfg(783)] chalresp_path=(null)
[../pam_yubico.c:pam_sm_authenticate(823)] get user returned: jack
[../pam_yubico.c:pam_sm_authenticate(929)] conv returned 44 bytes
[../pam_yubico.c:pam_sm_authenticate(947)] Skipping first 0 bytes. 
Length is 44, token_id set to 12 and token OTP always 32.
[../pam_yubico.c:pam_sm_authenticate(954)] OTP: 
ccccccbcitfdetdfkbjrtfbuhgbtjgethkdebcgthgde ID: ccccccbcitfd
[../pam_yubico.c:pam_sm_authenticate(985)] ykclient return value (0): 
Success
[../pam_yubico.c:authorize_user_token(221)] Using system-wide auth_file 
/etc/yubikey_mappings
[../pam_yubico.c:check_user_token(178)] Authorization line: 
jack:ccccccbcitfd
[../pam_yubico.c:check_user_token(182)] Matched user: jack
[../pam_yubico.c:check_user_token(187)] Authorization token: 
ccccccbcitfd
[../pam_yubico.c:check_user_token(190)] Match user/token as 
jack/ccccccbcitfd
[../pam_yubico.c:pam_sm_authenticate(1038)] done. [Success]

I have just noticed that the 'flags' is set to 1 by ssh. I don't know 
where (or if) I can control how Dovecot sets that flag or if it has any 
relevance.
The Pam configuration line for Yubikey is identical in the ssh 
configuration.

Does anyone have any idea what is going wrong?

Thanks in advance,

Jack

More information about the dovecot mailing list