Raspbian

libpam-yubico needs signed char on ARM

Bug #1039577 reported by Kevin Kammer
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Raspbian
Expired
Undecided
Unassigned

Bug Description

When using a yubikey cryptographic token for authentication with the pam_yubico.so module from package libpam-yubico, if the configuration is set to verify server signatures using a shared secret key, ykclient fails to authenticate the HMAC-SHA1 signature from the Yubico validation servers. This bug is unique to the ARM platform; the same module works on wheezy/amd64 and there is a patch for ARM (see below).

If we add the following line to /etc/pam.d/sshd (actual id and base64 key redacted):

auth required pam_yubico.so debug id=1234 key=MySecretKey

And then try to login using ssh with a yubikey, an example of PAM debug output follows:

[pam_yubico.c:parse_cfg(736)] called.
[pam_yubico.c:parse_cfg(737)] flags 1 argc 3
[pam_yubico.c:parse_cfg(739)] argv[0]=debug
[pam_yubico.c:parse_cfg(739)] argv[1]=id=1234
[pam_yubico.c:parse_cfg(739)] argv[2]=key=MySecretKey
[pam_yubico.c:parse_cfg(740)] id=1234
[pam_yubico.c:parse_cfg(741)] key=MySecretKey
[pam_yubico.c:parse_cfg(742)] debug=1
[pam_yubico.c:parse_cfg(743)] alwaysok=0
[pam_yubico.c:parse_cfg(744)] verbose_otp=0
[pam_yubico.c:parse_cfg(745)] try_first_pass=0
[pam_yubico.c:parse_cfg(746)] use_first_pass=0
[pam_yubico.c:parse_cfg(747)] authfile=(null)
[pam_yubico.c:parse_cfg(748)] ldapserver=(null)
[pam_yubico.c:parse_cfg(749)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(750)] ldapdn=(null)
[pam_yubico.c:parse_cfg(751)] user_attr=(null)
[pam_yubico.c:parse_cfg(752)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(753)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(754)] url=(null)
[pam_yubico.c:parse_cfg(755)] capath=(null)
[pam_yubico.c:parse_cfg(756)] token_id_length=12
[pam_yubico.c:parse_cfg(757)] mode=client
[pam_yubico.c:parse_cfg(758)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(790)] get user returned: pi
[pam_yubico.c:pam_sm_authenticate(897)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(915)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(922)] OTP: ccccccxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ID: ccccccxxxxxx
[pam_yubico.c:pam_sm_authenticate(953)] ykclient return value (106): Server response signature was invalid (BAD_SERVER_SIGNATURE)
[pam_yubico.c:pam_sm_authenticate(993)] done. [Authentication service cannot retrieve authentication info]

I can confirm the libpam-yubico PAM module and the above configuration works on Debian Wheezy on the amd64 architecture.

Further information and a possible patch is available here:
https://github.com/Yubico/yubico-c-client/commit/6fcc3d49d1d9b733c5bd04e4e60d400ed97cda40

Revision history for this message
peter green (plugwash) wrote :

"This bug is unique to the ARM platform"
Are you sure about that? have you tested on powerpc or s390? ;)

Can you test if this also happens with debian wheezy armel (I strongly suspect it will) and if so file a bug in debian?

Revision history for this message
Kevin Kammer (mephisto-f) wrote :

> "This bug is unique to the ARM platform"
> Are you sure about that? have you tested on powerpc or s390? ;)

No, I'm not sure. Poor choice of words on my part. What I really meant to convey is perhaps more accurately stated:
This is not a bug common across all architectures; x86 and amd64 seem to behave correctly, but armhf does not.

I do not have other architectures to test (e.g. powerpc) but may be able to test armel, eventually.

Revision history for this message
peter green (plugwash) wrote :

Can you please try the following

apt-get install debian-keyring devscripts
apt-get build-dep ykclient
dget http://ftp.de.debian.org/debian/pool/main/y/ykclient/ykclient_2.8-2.dsc
cd ykclient-2.8
dpkg-buildpackage
cd ..
dpkg -i libykclient3_2.8-2_armhf.deb

And tell me if that fixes your problem.

peter green (plugwash)
Changed in raspbian:
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Raspbian because there has been no activity for 60 days.]

Changed in raspbian:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.