2

I am attempting to implement Yubikey auth via SSH. I've edited my /etc/pam.d/sshd file as follows, and it seems to work while connecting locally (ssh user@localhost):

#%PAM-1.0
auth       required pam_yubico.so id=20682 authfile=/etc/yubikey_mappings debug trace
auth       required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin

However, when I try to connect from a remote machine, it does not prompt me for my key. What is the likely issue?

Sudowned
  • 288
  • 1
  • 3
  • 13
  • Are you using ssh key or GSSAPI/krb5 authentication, by any chance? Those authentication methods completely bypass the `auth` stack of PAM. – Andrew B Apr 30 '15 at 06:41
  • 1
    @AndrewB Ergh, I am. Now that I'm googling "PAM with SSH key" I'm seeing a hojillion folks with this problem. Hooray for asking the wrong questions. Thanks for the intel. – Sudowned Apr 30 '15 at 13:21

1 Answers1

1

The general logic is that a PAM enabled program handling shell logins will hit the auth, account, and session stacks in sequence, but a program can simply skip over any of these if it handles one or more of those functions with its own implementations.

sshd supports a few modes of authentication that cannot be delegated to PAM, because they rely on methods that do not fall within the scope of password or challenge-response negotiation. These are typically key or ticket based: ssh keys, GSSAPI/krb5, etc.

Andrew B
  • 32,588
  • 12
  • 93
  • 131