Yubikey SHA1 challenge-response doesn't match with the openssl result

16 views
Skip to first unread message

Adrian Rocha

unread,
Dec 10, 2017, 6:45:16 PM12/10/17
to qubes-users
Hi, I am following the proposed configuration for 2 factor authentication from:

https://www.qubes-os.org/doc/yubi-key/

But it isn't working for me. I found that the reason is that the responses from yubikey and from openssl doesn't match.
I used the yubikey personalization GUI to configure the key, this is the configuration:
Challenge-Response: HMAC-SHA1,12/10/17 5:17 PM,2,,,d574183f4b63995b077987f14457ab19f194c710,,,0,0,0,0,0,0,0,0,1,1

But when I manually test it using a random input, the result doesn't match:

Open SSL:
$ echo 56508ce98a10825321744c1e0565706f44bd585081d22ba5261836c45eabf14f92f2956b90fcb4eb058c380b8929518b365e28e926464f68707a6831a2eab8fe | xxd -r -ps | openssl dgst -sha1 -macopt hexkey:d574183f4b63995b077987f14457ab19f194c710 -mac HMAC -r | cut -f1 -d ' '
Result:
48e6c79fcb8f5f0dde68e26d646d2908b22321a1

Yubikey:
$ ykchalresp -2 -x 56508ce98a10825321744c1e0565706f44bd585081d22ba5261836c45eabf14f92f2956b90fcb4eb058c380b8929518b365e28e926464f68707a6831a2eab8fe
Result:
9f7d86c78ccdc232fcbec48e37fe2ac1f3f53a61

I double checked the slot, algorithm used, etc. And I also tried using different keys

Where I am wrong?

Reply all
Reply to author
Forward
0 new messages