Package Details: yubico-pam-git 2.19.r12.g11326d0-1

Git Clone URL: https://aur.archlinux.org/yubico-pam-git.git (read-only)
Package Base: yubico-pam-git
Description: Yubico YubiKey PAM module - git checkout
Upstream URL: https://github.com/Yubico/yubico-pam
Licenses: BSD
Conflicts: pam_yubico, yubico-pam
Provides: pam_yubico, yubico-pam
Submitter: Gohu
Maintainer: eworm
Last Packager: eworm
Votes: 13
Popularity: 0.001260
First Submitted: 2011-04-24 19:09
Last Updated: 2015-08-13 05:31

Latest Comments

slester commented on 2015-08-13 02:29

Please add asciidoc to dependencies.

belette commented on 2015-06-01 13:17

Many thanks eworm.
I tried again to launch the script with a tcpdump running but nothing is seen, I suspect that once the test is done even if I makepkg -s -f it will not happen again..

little question regarding pam with ssh, the documentation asks to put :
auth sufficient pam_yubico.so id=16 authfile=/etc/authkeyfile
into /etc/pam.d/sshd

I realized that in case of hitting enter when Yubikey is waiting for OTP then PAM is asking me for a password.
In case I would like to force OTP I comment some rule and did :
auth sufficient pam_yubico.so id=16 authfile=/etc/authkeyfile
#auth required pam_securety.so #disable remote root
#auth include system-remote-login
#account include system-remote-login
#password include system-remote-login
session include system-remote-login

Is it correct in term of implementation / security?
It is working correctly but I just doubt about the best practices..
Many thanks!

eworm commented on 2015-05-31 21:56

make check asks the Yubico authentication server with some default credentials. This happens via http or https.

belette commented on 2015-05-31 21:30

Thanks for your comment.
curl was installed.
I realized that it was my iptables issue.
Is there any special test remotely needed to be done by the script?
Many thanks

eworm commented on 2015-05-31 18:15

Possibly you are missing curl. Can you install that and retry?

belette commented on 2015-05-30 21:02

Even if perl-net-ldap-server is installed and up to date + all others dependencies I am unable to make check install..

I am trying to install yubico-pam using the git version, I installed all dependencies but I am failing on the last stage ..
I tried to use --without-ldap when running ./configure as I don't need it but it keeps failing when make check install
If anyone has an idea I would appreciate a lot :)

This is the test-suite.log

===========================================
pam_yubico 2.20: tests/test-suite.log
===========================================

# TOTAL: 3
# PASS: 2
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: pam_test
==============

YKVAL mockup started on 30559 at ./aux/ykval.pl line 52.
YKVAL mockup started on 17502 at ./aux/ykval.pl line 52.
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(752)] urllist=(null)
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.20
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (109): Error performing curl
[pam_yubico.c:pam_sm_authenticate(1005)] ykclient url used:
[pam_yubico.c:pam_sm_authenticate(1073)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
test 1 failed!
killed 13963 and 13964
FAIL pam_test (exit status: 1)


Many thanks,

2bluesc commented on 2015-05-02 23:50

Having to install a bunch of perl-net-ladap-server options every time I update is very annoying.

One option is to pass '--without-ldap' to the ./configure script. Or we could the tests/aux/ldap.pl script from pam_tests.c.

Aerion commented on 2015-01-21 11:22

After updating perl-net-ldap-server and installing it's new dependencies the package built correctly.

Many thanks for your quick response!

eworm commented on 2015-01-20 20:55

perl-net-ldap-server was missing dependencies. Please install perl-net-ldap-server 0.43-2 and try again.

Aerion commented on 2015-01-20 20:35

Yes, perl-net-ldap-server is installed.

Sorry, of course, I should have thought to include the log straight away.

The content of the log doesn't mean an awful lot to me, but the most obvious errors are

[pam_yubico.c:authorize_user_token_ldap(271)] ldap_simple_bind_s: Can't contact LDAP server
[pam_yubico.c:pam_sm_authenticate(982)] Internal error while validating user

I don't run an LDAP server.

I've uploaded the full log here http://pastebin.com/kyFTWYrW

All comments