Success on Debian, note on file-rights.

ChallengeResponse-(on-Mac-OS-X).md

@@ -76,4 +76,10 @@ as the first line. The whole file might look something like this (example taken
 
 If we wanted to require successful challenge-response authentication in addition to the usual password, we can change the `sufficient` in the line we added to `required`.
 
-**Note**: In theory you can configure pretty much any service you use locally to use challenge-response authentication. In practice, I had problems configuring challenge-response into the login window of OS X. Keep a rescue disk available when attempting such configurations, just in case something goes wrong and you need to restore the PAM configuration to an old state.
+**Note**: In theory you can configure pretty much any service you use locally to use challenge-response authentication. In practice, I had problems configuring challenge-response into the login window of OS X. Keep a rescue disk available when attempting such configurations, just in case something goes wrong and you need to restore the PAM configuration to an old state.
+
+**Note #2**: On Debian it started working for me after accidentally getting the file-rights correctly. `755` for `~/.yubico` & `600` for the files therein. Otherwise the module can't find, read and/or write to the appropriate files. Your clue is the following debug messages.
+
+    [drop_privs.c:restore_privileges(128)] pam_modutil_drop_priv: -1
+    [pam_yubico.c:do_challenge_response(542)] could not restore privileges
+    [pam_yubico.c:do_challenge_response(664)] Challenge response failed: No such file or directory