yubikey challenge-response
157 views
Skip to first unread message
Peter Ihasz
Sep 5, 2016, 3:57:33 PM9/5/16
to qubes-users
Hi!
Unfortunately, I can't login with yubikey and yubikey linked password.
Here is my config:
1,
yubikey linked password: apple
echo -n "apple" | openssl dgst -sha1
yubikey linked password: d0be2dc421be4fcd0172e5afceea3970e2f3d940
yubikey-personilization-gui
LOGGING START,9/4/16 9:10 PM
Challenge-Response: HMAC-SHA1,9/4/16 9:10 PM,2,,,04c21478245c36861b9f946e0d9388d5ebbb909d,,,0,0,0,0,0,0,0,0,0,1
usbvm name: sys-usb
2,
in doom0
chmod 755 yubikey-auth
/usr/local/bin/yubikey-auth
#!/bin/sh
key="$1"
if [ -z "$key" ]; then
echo "Usage: $0 <AESKEY> [<PASSWORD-HASH>]"
exit 1
fi
# if password has given, verify it
if [ -n "$2" ]; then
# PAM appends \0 at the end
hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '`
if [ "x$2" != "x$hash" ]; then
exit 1
fi
fi
challenge=`head -c64 /dev/urandom | xxd -c 64 -ps`
# You may need to adjust slot number and USB VM name here
response=`qvm-run -u root --nogui -p sys-usb "ykchalresp -2 -x $challenge"`
correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 -macopt hexkey:$key -mac HMAC -r | cut -f1 -d ' '`
test "x$correct_response" = "x$response"
exit $?
3,
/etc/pam.d/kscreensaver (KDE desktop environment)
auth [success=done default=ignore] pam_exec.so expose_authtok quiet /usr/local/bin/yubikey-auth 04c21478245c36861b9f946e0d9388d5ebbb909d d0be2dc421be4fcd0172e5afceea3970e2f3d940
Marek Marczykowski-Górecki
Sep 5, 2016, 4:09:33 PM9/5/16
to Peter Ihasz, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Do you have anything in logs in dom0 (check `sudo journalctl -eb`)?
Do you have ykchalresp installed in template of sys-usb? It's part of
ykpers package.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXzdD3AAoJENuP0xzK19csyxwH/1u0FQINHo0Bs7a3uTzfi5Wl
jyoknwt9vA3b0V/AMLKIfz4g7+hoEocbachW+BRNl+KAvHJ4ZcEUzyugHq0F7OO/
mGhi6f4EiF/NPYG8zNwWkvy2MGinCbuTwjI52AzYV5Wb3efk+JUyCRB0VfHgoQtl
SLbRvPavN3h3LkZWdA6OHfQXHyiDJVVM9jikg4bLhFlDc4Jx3XOGB6Ocbj6F2A5X
fWHEDlTvWFvud3U+nln0ALlICwlktEm4Oy99UgYnCt9QXslGW08bzSAAiVXOpKbo
izjvf2F84sT2Vt5D39uGdB4/F8dy+AQS7F9Pi2En5NE4Jm5PZJD9vE3BfnS40Ic=
=QeHk
-----END PGP SIGNATURE-----
Hash: SHA256
Do you have ykchalresp installed in template of sys-usb? It's part of
ykpers package.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXzdD3AAoJENuP0xzK19csyxwH/1u0FQINHo0Bs7a3uTzfi5Wl
jyoknwt9vA3b0V/AMLKIfz4g7+hoEocbachW+BRNl+KAvHJ4ZcEUzyugHq0F7OO/
mGhi6f4EiF/NPYG8zNwWkvy2MGinCbuTwjI52AzYV5Wb3efk+JUyCRB0VfHgoQtl
SLbRvPavN3h3LkZWdA6OHfQXHyiDJVVM9jikg4bLhFlDc4Jx3XOGB6Ocbj6F2A5X
fWHEDlTvWFvud3U+nln0ALlICwlktEm4Oy99UgYnCt9QXslGW08bzSAAiVXOpKbo
izjvf2F84sT2Vt5D39uGdB4/F8dy+AQS7F9Pi2En5NE4Jm5PZJD9vE3BfnS40Ic=
=QeHk
-----END PGP SIGNATURE-----
Connor Page
Sep 5, 2016, 5:19:16 PM9/5/16
to qubes-users
are you trying to login or unlock? the documentation covers only unlocking the screensaver.
Peter Ihasz
Sep 6, 2016, 1:39:58 PM9/6/16
to qubes-users, ipet...@gmail.com
Sep 06 18:33:28 dom0 kcheckpass[7948]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error
Sep 06 18:33:28 dom0 kcheckpass[7946]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8
Sep 06 18:33:28 dom0 kcheckpass[7950]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error
Sep 06 18:33:28 dom0 kcheckpass[7947]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8
Sep 06 18:33:28 dom0 unix_chkpwd[7952]: password check failed for user (tacsk0)
Sep 06 18:33:28 dom0 kcheckpass[7946]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
Sep 06 18:33:28 dom0 kcheckpass[7946]: Authentication failure for tacsk0 (invoked by uid 1000)
Sep 06 18:33:28 dom0 unix_chkpwd[7953]: password check failed for user (tacsk0)
Sep 06 18:33:28 dom0 kcheckpass[7947]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
Sep 06 18:33:28 dom0 kcheckpass[7947]: Authentication failure for tacsk0 (invoked by uid 1000)
Sep 06 18:33:33 dom0 kcheckpass[7956]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error
Sep 06 18:33:33 dom0 kcheckpass[7954]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8
Sep 06 18:33:33 dom0 kcheckpass[7958]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error
Sep 06 18:33:33 dom0 kcheckpass[7955]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8
Peter Ihasz
Sep 6, 2016, 3:34:49 PM9/6/16
to qubes-users, ipet...@gmail.com
But I have got a new....
Sep 06 20:22:53 dom0 kcheckpass[8777]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
Sep 06 20:22:53 dom0 kcheckpass[8776]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
Sep 06 20:22:53 dom0 unix_chkpwd[8809]: password check failed for user (tacsk0)
Sep 06 20:22:53 dom0 kcheckpass[8777]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
Sep 06 20:22:53 dom0 kcheckpass[8777]: Authentication failure for tacsk0 (invoked by uid 1000)
Sep 06 20:22:53 dom0 unix_chkpwd[8808]: password check failed for user (tacsk0)
Sep 06 20:22:53 dom0 kcheckpass[8776]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
Sep 06 20:22:53 dom0 kcheckpass[8776]: Authentication failure for tacsk0 (invoked by uid 1000)
Sep 06 20:22:59 dom0 kcheckpass[8815]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
Sep 06 20:22:59 dom0 unix_chkpwd[8846]: password check failed for user (tacsk0)
Sep 06 20:22:59 dom0 kcheckpass[8815]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
Sep 06 20:22:59 dom0 kcheckpass[8815]: Authentication failure for tacsk0 (invoked by uid 1000)
Sep 06 20:23:06 dom0 kcheckpass[8847]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 1
Sep 06 20:23:14 dom0 kcheckpass[8816]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
Sep 06 20:23:14 dom0 unix_chkpwd[8858]: password check failed for user (tacsk0)
Sep 06 20:23:14 dom0 kcheckpass[8816]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
Sep 06 20:23:14 dom0 kcheckpass[8816]: Authentication failure for tacsk0 (invoked by uid 1000)
Sep 06 20:23:17 dom0 sudo[8865]: tacsk0 : TTY=pts/6 ; PWD=/usr/local/bin ; USER=root ; COMMAND=/bin/journalctl -eb
Marek Marczykowski-Górecki
Sep 6, 2016, 6:38:59 PM9/6/16
to Peter Ihasz, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
> But I have got a new....
>
> Sep 06 20:22:53 dom0 kcheckpass[8777]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
> Sep 06 20:22:53 dom0 kcheckpass[8776]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
> Sep 06 20:22:53 dom0 unix_chkpwd[8809]: password check failed for user (tacsk0)
> Sep 06 20:22:53 dom0 kcheckpass[8777]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
> Sep 06 20:22:53 dom0 kcheckpass[8777]: Authentication failure for tacsk0 (invoked by uid 1000)
> Sep 06 20:22:53 dom0 unix_chkpwd[8808]: password check failed for user (tacsk0)
> Sep 06 20:22:53 dom0 kcheckpass[8776]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
> Sep 06 20:22:53 dom0 kcheckpass[8776]: Authentication failure for tacsk0 (invoked by uid 1000)
> Sep 06 20:22:59 dom0 kcheckpass[8815]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
> Sep 06 20:22:59 dom0 unix_chkpwd[8846]: password check failed for user (tacsk0)
> Sep 06 20:22:59 dom0 kcheckpass[8815]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
> Sep 06 20:22:59 dom0 kcheckpass[8815]: Authentication failure for tacsk0 (invoked by uid 1000)
> Sep 06 20:23:06 dom0 kcheckpass[8847]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 1
> Sep 06 20:23:14 dom0 kcheckpass[8816]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 2
> Sep 06 20:23:14 dom0 unix_chkpwd[8858]: password check failed for user (tacsk0)
> Sep 06 20:23:14 dom0 kcheckpass[8816]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0
> Sep 06 20:23:14 dom0 kcheckpass[8816]: Authentication failure for tacsk0 (invoked by uid 1000)
> Sep 06 20:23:17 dom0 sudo[8865]: tacsk0 : TTY=pts/6 ; PWD=/usr/local/bin ; USER=root ; COMMAND=/bin/journalctl -eb
remove "quiet" option to see more details.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
ZzpxJjq512zKfn4ICGrju4WfpMJLDQUwnGN/2jgm04DUJyqW9zA8ASbYCvhQss6f
5irazSOZjoU+1+xunq2FXRRPA6Llf5jbDOfeCuPWAGvba/FE5HhH9nYEMoSG9O0F
i3S+kJ35WKQG+v+UpxmkZ7jkeM/Y7/0Rczz8SjLzSWdbxm4AM2BXX/62oQn+CMWk
f3FRqt+COoyGeDRGPOwhE4/OXp6zKrqDQIsjiyWz0bX8xwmD8u0oJGzAyokyoQp2
oS0IjC01hvyAdEcWPRIR69vxYVdmc9px+9JjIOGYnQ1oEXJN6VoIKb2IdT79Oi0=
=LWTJ
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages