[Poldi] PAM authentication error "failed to verify challenge"
Syl
syl-gnupg at sylops.com
Fri Feb 2 17:31:06 CET 2018
Hi there,
I'm the proud owner of a Nitrokey Pro OpenPGP card that works fine for
encryption and SSH authentication. I'd love to use it for sudo/login
operations as well, but I've had no luck so far in setting up Poldi for
PAM authentication.
Would you please let me know what I missed, or maybe how I could further
investigate?
Here is what I did:
* My card contains 4096 bit encryption, signing and authentication
subkeys.
* I'm using GnuPG v2.1.15 on a regular Ubuntu 17.10 desktop.
* Poldi was installed via the Ubuntu 17.10 "libpam-poldi" package.
* I've associated the card Application ID with my system username
within "/etc/poldi/localdb/users".
* I've exported my public authentication subkey in a file named after
the card Application ID within "/etc/poldi/localdb/keys/". Since
"poldi-ctrl" is no longer available, and 'gpg-connect-agent
"/datafile <app_id>" "SCD READKEY --advanced OPENPGP.3" "/bye"'
would only yield "ERR 100663414 Invalid ID <SCD>", I've been using
"gpg --export | openpgp2ssh <auth_subkey_fp> | ssh-conv | sexp-conv
--syntax=hex" to produce the appropriate format, i.e. "(public-key
(rsa-pkcs1-sha1 (n #00e2 ... 7#) (e #010001#)))".
* I've replaced "@include common-auth" with "auth sufficient
pam_poldi.so" in "/etc/pam.d/sudo".
And this is where I stand:
* "sudo ls" is unsuccessful, though the card LED lights up (and the
PIN is correct):
Insert authentication card for user `syl'
Trying authentication as user `syl'...
Please enter the PIN
Sorry, try again.
Insert authentication card for user `syl'
Trying authentication as user `syl'...
Sorry, try again.
Insert authentication card for user `syl'
Trying authentication as user `syl'...
sudo: 3 incorrect password attempts
* "/var/log/poldi.log" doesn't give much details (card serial number
edited by me):
Poldi 2018-02-02 17:19:53 [23950] debug: using authentication method
`localdb'
Poldi 2018-02-02 17:19:54 [23950] debug: got scdaemon socket name
from gpg-agent, connected to socket '/run/user/1000/gnupg/S.scdaemon'
Poldi 2018-02-02 17:19:56 [23950] debug: Waiting for card for user
`syl'...
Poldi 2018-02-02 17:19:58 [23950] debug: connected to card; serial
number is: D...0
Poldi 2018-02-02 17:19:58 [23950] debug: Trying authentication as
user `syl'...
Poldi 2018-02-02 17:20:06 [23950] error: failed to verify challenge
Poldi 2018-02-02 17:20:06 [23950] error: authentication failed:
General error
Poldi 2018-02-02 17:20:06 [23950] debug: using authentication method
`localdb'
Poldi 2018-02-02 17:20:06 [23950] debug: got scdaemon socket name
from gpg-agent, connected to socket '/run/user/1000/gnupg/S.scdaemon'
Poldi 2018-02-02 17:20:06 [23950] debug: Waiting for card for user
`syl'...
Poldi 2018-02-02 17:20:06 [23950] debug: connected to card; serial
number is: D...0
Poldi 2018-02-02 17:20:06 [23950] debug: Trying authentication as
user `syl'...
Poldi 2018-02-02 17:20:10 [23950] error: failed to verify challenge
Poldi 2018-02-02 17:20:10 [23950] error: authentication failed:
General error
Poldi 2018-02-02 17:20:10 [23950] debug: using authentication method
`localdb'
Poldi 2018-02-02 17:20:10 [23950] debug: got scdaemon socket name
from gpg-agent, connected to socket '/run/user/1000/gnupg/S.scdaemon'
Poldi 2018-02-02 17:20:10 [23950] debug: Waiting for card for user
`syl'...
Poldi 2018-02-02 17:20:10 [23950] debug: connected to card; serial
number is: D...0
Poldi 2018-02-02 17:20:10 [23950] debug: Trying authentication as
user `syl'...
Poldi 2018-02-02 17:20:13 [23950] error: failed to verify challenge
Poldi 2018-02-02 17:20:13 [23950] error: authentication failed:
General error
* For the record, "/etc/poldi/poldi.conf" reads as follows:
auth-method localdb
log-file /var/log/poldi.log
debug
Thanks in advance for your help, best regards,
--Syl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180202/af1f2d13/attachment-0001.html>
More information about the Gnupg-users
mailing list