Integrated PAM with VIP EG returns ERROR: pam_vrsn_otp: validateOTP returns err (validateOTP: Failed to invoke 'authenticate'
search cancel

Integrated PAM with VIP EG returns ERROR: pam_vrsn_otp: validateOTP returns err (validateOTP: Failed to invoke 'authenticate'

book

Article ID: 164560

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

Customer has integrated VIP EG with PAM (Pluggable Authentication Modules) on AIX 6.1 SP2 platform. The authentication using vsradiusclient tool succeeds; however, PAM authentication returns the following error message:

error sshd[10223772]: ERROR: pam_vrsn_otp: validateOTP returns err (validateOTP: Failed to invoke 'authenticate' [18517]:(Provider [VSRadiusClient] failed to invoke authentication request [-3] with error. Details [recvfrom [162.114.82.23] failed on socket 8. Detailed reason: [11, Resource temporarily unavailable]]) )

 

Cause

PAM module times out during authentication.

 

Resolution

The timeout parameter can be increased following the instructions in the Integration document, page 22, under section Configuration for RADIUS Communication. Below are steps:

Modify the entries in the RADIUS configuration file at /etc/raddb/vrsn_otp. (You must create it, if it does not exist). Enter the correct RADIUS host name or host IP, port number, encrypted shared secret, and (optionally) the timeout and retry values used by the local machine. For example, a line in the configuration file reads as follows:

For linux, linux_x86-64, and solaris:      vipeg_server_ip:port <camouflaged_password> 5 3

For HP-UX and AIX:     vipeg_server_ip:port <camouflaged_password> 5 3 local_ip

vipeg_server_ip:port  is the IP address and port number of the validation service (RADIUS server) to which the VIP integration module for PAM connects.

<camouflaged_password> is the encrypted version of the RADIUS shared secret obtained in the previous step.

5 is the timeout (in seconds). The timeout is how long the module waits until deciding that the server has failed to respond (in seconds).

3 is the number of retries. A retry value is the number of times the module attempts to connect to the server (in conjunction with timeout) until deciding that the server has failed to respond. This parameter is a Symantec-unique addition to the standard RADIUS configuration.

(Optional) local_ip is the IP address of the local machine from which the RADIUS server is reachable, in case there are multiple NIC on the machine.

 

Powered by Wolken Software