oath-toolkit-help
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [OATH-Toolkit-help] totp pam and try_first_pass or use_first_pass

From: Simon Josefsson
Subject: Re: [OATH-Toolkit-help] totp pam and try_first_pass or use_first_pass
Date: Mon, 30 May 2011 13:57:21 +0200
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/23.2 (gnu/linux) 
Jens Czyborra <address@hidden> writes:

> The i get (with digits=6):
>
> [pam_oath.c:pam_sm_authenticate(168)] get password returned: 123456xyzabc_
> [pam_oath.c:pam_sm_authenticate(274)] Password: 123456x 
> [pam_oath.c:pam_sm_authenticate(292)] OTP: 

Sorry I was wrong -- you should enter xyzabc_123456.

It seems like a bug that 'OTP:' value is empty, it should contain 123456
and it is no surprise that you get that error when the parsing has
failed.

Which version and which architecture are you using?

Can you rebuild with --enable-root-tests and run 'make check' as root to
run the internal self tests?  And post the output of that run, if it fails.

/Simon

> The Modul cuts the last 6 digits (where normaly the otp is) but i do not 
> paste 
> it in the right place afterwards.

> Am Montag, 30. Mai 2011, 11:32:37 schrieb Simon Josefsson:
>> Jens Czyborra <address@hidden> writes:
>> > Example:
>> > 
>> > in /etc/pam.d/sudo:
>> > 
>> > auth            required        pam_unix.so
>> > auth            sufficient      pam_oath.so     usersfile=/etc/users.oath
>> > digits=6 try_first_pass debug
>> > 
>> > By testing the login by the unix pass everything works well.
>> 
>> > By testing with the otp (xyzabc_ is the password and 123456 is the otp) i 
> get:
>> Hi Jens!  Welcome to the list.
>> 
>> Try reversing the order of password and PIN -- i.e., type
>> '123456xyzabc_' instead of 'xyzabc_123456'.  If it is important for you
>> to type the password first and the PIN next, it should be possible to
>> add a flag for the PAM module to modify this behaviour.
>> 
>> /Simon
>> 
>> > ~]$ sudo su
>> > Passwort:
>> > [pam_oath.c:parse_cfg(118)] called.
>> > [pam_oath.c:parse_cfg(119)] flags 32768 argc 4
>> > [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath
>> > [pam_oath.c:parse_cfg(121)] argv[1]=digits=6
>> > [pam_oath.c:parse_cfg(121)] argv[2]=use_first_pass
>> > [pam_oath.c:parse_cfg(121)] argv[3]=debug
>> > [pam_oath.c:parse_cfg(122)] debug=1
>> > [pam_oath.c:parse_cfg(123)] alwaysok=0
>> > [pam_oath.c:parse_cfg(124)] try_first_pass=0
>> > [pam_oath.c:parse_cfg(125)] use_first_pass=1
>> > [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
>> > [pam_oath.c:parse_cfg(127)] digits=6
>> > [pam_oath.c:parse_cfg(128)] window=5
>> > [pam_oath.c:pam_sm_authenticate(157)] get user returned: jens
>> > [pam_oath.c:pam_sm_authenticate(168)] get password returned:
>> > xyzabc_123456 [pam_oath.c:pam_sm_authenticate(274)] Password: xyzabc_
>> > [pam_oath.c:pam_sm_authenticate(292)] OTP:
>> > [pam_oath.c:pam_sm_authenticate(305)] authenticate rc -2
>> > (OATH_INVALID_DIGITS: Unsupported number of OTP digits) last otp Mon May
>> > 30 01:00:38 2011
>> > 
>> > [pam_oath.c:pam_sm_authenticate(311)] One-time password not authorized to
>> > login as user 'jens'
>> > [pam_oath.c:pam_sm_authenticate(327)] done. [Fehler bei
>> > Authentifizierung] Sorry, try again.
>> > Passwort:
>> > 
>> > 
>> > the same with use_first_pass
>> > 
>> > withou both try_first_pass and use_first_pass it works but i'm asked
>> > first for the unix pass and second for the otp if unix fails
>> > 
>> > ???????
reply via email to
[Prev in Thread] Current Thread [Next in Thread]