libpam-yubico ykclient call fails to parse urllist parameter
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
yubico-pam (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
System version: Ubuntu 14.04.5 LTS
yubico-pam version: 2.14-1
libykclient3 version: 2.12-1
Calling the pam_yubico.so PAM module as delivered by the package yubico-pam 2.14-1 fails if the Yubikey OTP servers are supplied using the urllist parameter instead of the url parameter, which nulls the option of having a failover in case the first server fails. Works on 16.04.
It is highly likely the bug is in the libykclient package since this is where the connection occurs.
Using strace to analyze connections using url vs. urllist it would seem the urllist parameter is not recognized at all inasmuch as the connection is directed towards the central Yubico authentication servers.
Building pam-yubico and ykclient-c linked to updated 14.04 packages from source according to Yubico doc renders a PAM module that works with urllist on 14.04.
Here is the sanitized PAM config line used:
auth [success=1 default=die] pam_yubico.so mode=client id=1 key=<tested and works elsewhere> urllist=http://
Specify if you require trace files, the interesting bits (connections) are as specified over.
The urllist parameter was added in version 2.15. /launchpad. net/~yubico/ +archive/ ubuntu/ stable that contains recent builds for all supported versions of Ubuntu.
There is a Yubico PPA at https:/