hello oath-toolkit-help, I am trying to use pam_oath.so on Debian 10 for SSH access:
ii liboath0 2.6.1-1.3 amd64 OATH Toolkit Liboath library ii libpam-oath 2.6.1-1.3 amd64 OATH Toolkit libpam_oath PAM module ii oathtool 2.6.1-1.3 amd64 OATH Toolkit oathtool command line tool ii openssh-server 1:7.9p1-10+deb10u2 amd64 secure shell (SSH) server, for secure access from remote machines /etc/ssh/sshd_config: ChallengeResponseAuthentication yes UsePAM yes match group sudo PubkeyAuthentication yes PasswordAuthentication yes AuthenticationMethods keyboard-interactive Prepended to /etc/pam.d/ssh: auth sufficient pam_oath.so debug usersfile=/etc/users.oauth window=10 digits=6 verbose=1 #auth [success=ok new_authtok_reqd=ok default=die] pam_oath.so debug usersfile=/etc/users.oauth window=10 digits=6 /etc/users.oath: HOTP felix - 00 (this user is in the sudo group) I am using a zero key, because according to the documentation [1], this causes the first OTP to be 328482 (for simplicity, no FreeOTP/authenticator involved). [1] https://www.nongnu.org/oath-toolkit/pam_oath.html Despite the debug flag for pam_oath.so, the only thing I see in /var/log/auth.log is this: May 16 19:46:36 delllaptop sshd[1380]: error: PAM: Authentication failure for felix from 192.168.178.21 May 16 19:46:37 delllaptop sshd[1380]: error: PAM: Authentication failure for felix from 192.168.178.21 May 16 19:46:38 delllaptop sshd[1380]: error: PAM: Authentication failure for felix from 192.168.178.21 /var/log/debug contains mostly kernel- und no PAM-messages. There is also no PAM[-oath] logging on the client (I entered "328482" 3x): $ ssh dellnotebook One-time password (OATH) for `felix': One-time password (OATH) for `felix': One-time password (OATH) for `felix': felix@dellnotebook: Permission denied (keyboard-interactive). So how can I configure debug logging to find out what the problem is? Many Thanks! Best Regards, -- Felix Natter
