I’ve enrolled a Yubikey with:
privacyidea -U https://athene.jochen.org -a jochen@admin token yubikey_mass_enroll --yubimode YUBICO --yubislot 1 --description “Test” --yubiprefixrandom 6
If I don’t use 6 as the random length I get something like the following
in pam_yubico debug:
[pam_yubico.c:pam_sm_authenticate(816)] pam_yubico version: 2.21
[pam_yubico.c:pam_sm_authenticate(831)] get user returned: jochen
YubiKey for `jochen’: <string_with_32_characters>
[pam_yubico.c:pam_sm_authenticate(982)] conv returned 32 bytes
[pam_yubico.c:pam_sm_authenticate(990)] OTP too short to be considered : 32 < 44
[pam_yubico.c:pam_sm_authenticate(1106)] done. [Legitimierungsfehler]
So, now I have a yubikey that emits 44 characters:
[pam_yubico.c:pam_sm_authenticate(982)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(1000)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(1007)] OTP: delnifbevfti<string_with_32_characters> ID: delnifbevfti
[pam_yubico.c:pam_sm_authenticate(1037)] ykclient return value (101): Could not parse server response
[pam_yubico.c:pam_sm_authenticate(1038)] ykclient url used: https://athene.jochen.org/ttype/yubikey?id=23453&nonce=npnyufcbmsjidzyblwxatvgseikwnwuc&otp=delnifbevfti<string_with_32_characters>×tamp=1
[pam_yubico.c:pam_sm_authenticate(1106)] done. [Legitimierungsdienst kann Legitimierungsinformationen nicht abrufen]
If I enter the URL in my browser I get:
{“nonce”: “npnyufcbmsjidzyblwxatvgseikwnwuc”, “jsonrpc”: “2.0”,
“signature”:
“2542069859411243772936126744287249038228704735354594223227328749181486050834182923042812179590621538709337025319287646014339074313521543246808634509942681278261020756540501234149389725629963403589033487567250216361296681378023451148145372527041540701064149893610078471976103440519739964198590051832872818449021674100520637117851374273331687080733185527765756869162886904491797808214215711678741801753625349631296964269490063864546106500927621828795710510199973178717250459732315975750477429718128228442851198357848343270360538224457238859817994492798306478373925032289564954657105562532132054777009587651153962260706”,
“detail”: null, “version”: “privacyIDEA 2.10.2”, “result”: {“status”:
false, “error”: {“message”: “(OperationalError) (1267, “Illegal mix of
collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE)
for operation ‘=’”) ‘SELECT token.id AS token_id, token.description AS
token_description, token.serial AS token_serial, token.tokentype AS
token_tokentype, token.user_pin AS token_user_pin, token.user_pin_iv AS
token_user_pin_iv, token.so_pin AS token_so_pin, token.so_pin_iv AS
token_so_pin_iv, token.resolver AS token_resolver, token.resolver_type
AS token_resolver_type, token.user_id AS token_user_id, token.pin_seed
AS token_pin_seed, token.otplen AS token_otplen, token.pin_hash AS
token_pin_hash, token.key_enc AS token_key_enc, token.key_iv AS
token_key_iv, token.maxfail AS token_maxfail, token.active AS
token_active, token.revoked AS token_revoked, token.locked AS
token_locked, token.failcount AS token_failcount, token.count AS
token_count, token.count_window AS token_count_window, token.sync_window
AS token_sync_window, token.rollout_state AS token_rollout_state \nFROM
token \nWHERE token.serial = %s’ (‘UBAM#\xabt\x13\xf4\xd7’,)”,
“code”: -500}}, “time”: 1457267927.363808, “id”: 1}
So privacy looks for an UBAM token (which I created above), but there is
no token with that hex serial number. The only UBAM token I have is:
mysql> select id, serial, tokentype, otplen from token where serial like ‘UBAM%’;±—±---------------±----------±-------+
| id | serial | tokentype | otplen |
±—±---------------±----------±-------+
| 45 | UBAM04017813_1 | yubikey | 44 |
±—±---------------±----------±-------+
1 row in set (0.00 sec)
The error message pointed be to
http://airbladesoftware.com/notes/fixing-mysql-illegal-mix-of-collations/
On my system I have:
mysql> show variables like ‘char%’;
±-------------------------±---------------------------+
| Variable_name | Value |
±-------------------------±---------------------------+
| character_set_client | utf8 |
| character_set_connection | utf8 |
| character_set_database | latin1 |
| character_set_filesystem | binary |
| character_set_results | utf8 |
| character_set_server | latin1 |
| character_set_system | utf8 |
| character_sets_dir | /usr/share/mysql/charsets/ |
±-------------------------±---------------------------+
8 rows in set (0.00 sec)
and “show table status \G” has Collation: latin1_swedish_ci
for the tables.
Should we use something like in /etc/mysql/my.cnf?
[mysqld]
MySQL 5.5.3+
character-set-server=utf8
collation-server=utf8_general_ci
The mysql configuration might be wrong or just old-fashioned, but I
guess the error is in privacyidea, where we use
’UBAM#\xabt\x13\xf4\xd7’ as the serial number. Any idea where I
should look for more hints before I fight against mysql character sets?
Jochen
–
The only problem with troubleshooting is that the trouble shoots back.