libpam-yubico ykclient call fails to parse urllist parameter

Bug #1649246 reported by Øystein Larsen on 2016-12-12
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
yubico-pam (Ubuntu)
Undecided
Unassigned

Bug Description

System version: Ubuntu 14.04.5 LTS

yubico-pam version: 2.14-1
libykclient3 version: 2.12-1

Calling the pam_yubico.so PAM module as delivered by the package yubico-pam 2.14-1 fails if the Yubikey OTP servers are supplied using the urllist parameter instead of the url parameter, which nulls the option of having a failover in case the first server fails. Works on 16.04.

It is highly likely the bug is in the libykclient package since this is where the connection occurs.

Using strace to analyze connections using url vs. urllist it would seem the urllist parameter is not recognized at all inasmuch as the connection is directed towards the central Yubico authentication servers.

Building pam-yubico and ykclient-c linked to updated 14.04 packages from source according to Yubico doc renders a PAM module that works with urllist on 14.04.

Here is the sanitized PAM config line used:

auth [success=1 default=die] pam_yubico.so mode=client id=1 key=<tested and works elsewhere> urllist=http://server1/wsapi/2.0/verify;http://server2/wsapi/2.0/verify ldap_uri=ldap://ldap1,ldap://ldap2 ldapdn=ou=Users,dc=company,dc=com user_attr=uid yubi_attr=yubiKeyId debug debug_file=/var/log/pam-debug.log

Specify if you require trace files, the interesting bits (connections) are as specified over.

Klas Lindfors (klali) wrote :

The urllist parameter was added in version 2.15.
There is a Yubico PPA at https://launchpad.net/~yubico/+archive/ubuntu/stable that contains recent builds for all supported versions of Ubuntu.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers