[OATH-Toolkit-help] OATH_PRINTF_ERROR with more than one user in users.oath

Mon, 19 Mar 2012 05:17:32 -0700 

Environment: FreeBSD 9.0 x64, oath-toolkit 1.10.5 installed from ports

I have an interesting problem that I just can't seem to solve. I've installed 
oath-toolkit, configured the root user for TOTP (HOTP/T30) and tested it with 
su and sshd. Everything works perfectly. I then added another user to the 
users.oath file, and after that neither the new user or the original user works 
anymore.

The file:

HOTP/T30        root    -       29138c70c2e3082a7878f3e5b110d3715299e8a0        
1       448947  2012-03-18T11:20:19L
HOTP/T30        nisse   -       00

The debug output:

[pam_oath.c:parse_cfg(118)] called.
[pam_oath.c:parse_cfg(119)] flags 0 argc 2
[pam_oath.c:parse_cfg(121)] argv[0]=debug
[pam_oath.c:parse_cfg(121)] argv[1]=usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(122)] debug=1
[pam_oath.c:parse_cfg(123)] alwaysok=0
[pam_oath.c:parse_cfg(124)] try_first_pass=0
[pam_oath.c:parse_cfg(125)] use_first_pass=0
[pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath
[pam_oath.c:parse_cfg(127)] digits=0
[pam_oath.c:parse_cfg(128)] window=5
[pam_oath.c:pam_sm_authenticate(157)] get user returned: root
One-time password (OATH) for `root': 
[pam_oath.c:pam_sm_authenticate(232)] conv returned: 831601
[pam_oath.c:pam_sm_authenticate(292)] OTP: 831601
[pam_oath.c:pam_sm_authenticate(305)] authenticate rc -3 (OATH_PRINTF_ERROR: 
Error from system printf call) last otp Sun Mar 18 11:15:07 2012

[pam_oath.c:pam_sm_authenticate(311)] One-time password not authorized to login 
as user 'root'
[pam_oath.c:pam_sm_authenticate(327)] done. [authentication error]
su: Sorry

The users.oath file does get updated with the used OTP and a date stamp 
regardless of the auth error.

Even more interesting, if I try to login as my second user "nisse" that user 
gets deleted from the users.oath file and only the first line of the file 
remains. At that point I can authenticate as root again.

I tried changing the rights on the users.oath file just to see if that made any 
difference, and I noticed that the rights always changes back to 600 when the 
file gets updated:

-rw-------  1 root  wheel   107 Mar 18 11:20 users.oath

I was concerned that it had something to do with the rights on /etc so I tried 
to move the file to another folder with full (777) rights, but the result was 
exactly the same.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to