Cannot setup pam_oath with Yubikey: OTP not authorized to login as user

Questions about applications and software
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Post Reply
Apt
Level 2
Level 2
Posts: 57
Joined: Sun Apr 04, 2021 4:30 pm
Location: RU, Moscow

Cannot setup pam_oath with Yubikey: OTP not authorized to login as user

Post by Apt »

So, what I want is to login to system with Yubikey as a second factor or the only factor.

I use Linux Mint 21.3, my Yubikey is 5C NFC.

My /etc/pam.d/common-auth:

Code: Select all

    auth    [success=1 default=ignore]      pam_unix.so nullok
    auth    requisite                       pam_deny.so
    auth    required pam_oath.so debug usersfile=/etc/users.oath digits=6 window=0
    auth    required                        pam_permit.so
    auth    required                        pam_ecryptfs.so unwrap
    auth    optional                        pam_cap.so
The only line I've added is third, the rest was there before me.

Q1: Am I understand correctly, the line order matters?

With oathtool I generate/convert HEX secret to Base32:

Code: Select all

    kein@leaf:~$ oathtool -v --hotp -d 6 46362175108032033577
    Hex secret: 46362175108032033577
    Base32 secret: IY3CC5IQQAZAGNLX
    Digits: 6
    Window size: 0
    Start counter: 0x0 (0)
    
    801904
With yubikey-manager (1.2.5 AppImage) I configure one of the slots to OATH-HOTP pasting Base32 secret and selecting 6 digits.

Then I create /etc/users.oath: (600 permissions, owner - root)

Code: Select all

    HOTP	kein	-	46362175108032033577
NOW: The first attempt is successful:

Code: Select all

    kein@leaf:~$ sudo echo "YAPPY"
    [sudo] password for kein:            
    [../../pam_oath/pam_oath.c:parse_cfg(123)] called.
    [../../pam_oath/pam_oath.c:parse_cfg(124)] flags 32768 argc 4
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[0]=debug
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[1]=usersfile=/etc/users.oath
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[2]=digits=6
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[3]=window=0
    [../../pam_oath/pam_oath.c:parse_cfg(127)] debug=1
    [../../pam_oath/pam_oath.c:parse_cfg(128)] alwaysok=0
    [../../pam_oath/pam_oath.c:parse_cfg(129)] try_first_pass=0
    [../../pam_oath/pam_oath.c:parse_cfg(130)] use_first_pass=0
    [../../pam_oath/pam_oath.c:parse_cfg(131)] usersfile=/etc/users.oath
    [../../pam_oath/pam_oath.c:parse_cfg(132)] digits=6
    [../../pam_oath/pam_oath.c:parse_cfg(133)] window=0
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(275)] get user returned: kein
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(283)] usersfile is /etc/users.oath
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(293)] authenticate first pass rc -2 (OATH_INVALID_DIGITS: Unsupported number of OTP digits) last otp Sun Jun 30 07:11:28 3357022
    
    One-time password (OATH) for `kein':       
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(376)] conv returned: 801904
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(440)] OTP: 801904
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(448)] authenticate rc 0 (OATH_OK: Successful return) last otp Tue Nov  8 02:59:37 4368416
    
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(472)] done. [Success]
    YAPPY
BUT the second attempt (another terminal) fails:

Code: Select all

    kein@leaf:~$ sudo echo "YAPPY"
    [sudo] password for kein:            
    [../../pam_oath/pam_oath.c:parse_cfg(123)] called.
    [../../pam_oath/pam_oath.c:parse_cfg(124)] flags 32768 argc 4
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[0]=debug
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[1]=usersfile=/etc/users.oath
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[2]=digits=6
    [../../pam_oath/pam_oath.c:parse_cfg(126)] argv[3]=window=0
    [../../pam_oath/pam_oath.c:parse_cfg(127)] debug=1
    [../../pam_oath/pam_oath.c:parse_cfg(128)] alwaysok=0
    [../../pam_oath/pam_oath.c:parse_cfg(129)] try_first_pass=0
    [../../pam_oath/pam_oath.c:parse_cfg(130)] use_first_pass=0
    [../../pam_oath/pam_oath.c:parse_cfg(131)] usersfile=/etc/users.oath
    [../../pam_oath/pam_oath.c:parse_cfg(132)] digits=6
    [../../pam_oath/pam_oath.c:parse_cfg(133)] window=0
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(275)] get user returned: kein
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(283)] usersfile is /etc/users.oath
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(293)] authenticate first pass rc -2 (OATH_INVALID_DIGITS: Unsupported number of OTP digits) last otp Sun Mar 24 18:24:03 2024
    
    One-time password (OATH) for `kein':       
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(376)] conv returned: 118838
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(440)] OTP: 118838
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(448)] authenticate rc -6 (OATH_INVALID_OTP: The OTP is not valid) last otp Sun Mar 24 18:24:03 2024
    
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(455)] One-time password not authorized to login as user 'kein'
    [../../pam_oath/pam_oath.c:pam_sm_authenticate(472)] done. [Authentication failure]
    Sorry, try again.
    [sudo] password for kein:
After all /etc/users.oath contains:

Code: Select all

HOTP kein - 46362175108032033577 0 801904 2024-03-24T18:24:03L
2Q: Why the second (and following) attempt fails? What is wrong?

3Q: Why `OATH_INVALID_DIGITS: Unsupported number of OTP digits`?
Top
Post Reply

Return to “Software & Applications”