-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Sep 05, 2016 at 12:57:33PM -0700, Peter Ihasz wrote: > Hi! > > Unfortunately, I can't login with yubikey and yubikey linked password. > > Here is my config: > > 1, > yubikey linked password: apple > > echo -n "apple" | openssl dgst -sha1 > yubikey linked password: d0be2dc421be4fcd0172e5afceea3970e2f3d940 > > yubikey-personilization-gui > > LOGGING START,9/4/16 9:10 PM > Challenge-Response: HMAC-SHA1,9/4/16 9:10 > PM,2,,,04c21478245c36861b9f946e0d9388d5ebbb909d,,,0,0,0,0,0,0,0,0,0,1 > > usbvm name: sys-usb > > > 2, > in doom0 > chmod 755 yubikey-auth > /usr/local/bin/yubikey-auth > > #!/bin/sh > > key="$1" > > if [ -z "$key" ]; then > echo "Usage: $0 <AESKEY> [<PASSWORD-HASH>]" > exit 1 > fi > > # if password has given, verify it > if [ -n "$2" ]; then > # PAM appends \0 at the end > hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '` > if [ "x$2" != "x$hash" ]; then > exit 1 > fi > fi > > challenge=`head -c64 /dev/urandom | xxd -c 64 -ps` > # You may need to adjust slot number and USB VM name here > response=`qvm-run -u root --nogui -p sys-usb "ykchalresp -2 -x $challenge"` > > correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 -macopt > hexkey:$key -mac HMAC -r | cut -f1 -d ' '` > > test "x$correct_response" = "x$response" > exit $? > > 3, > > /etc/pam.d/kscreensaver (KDE desktop environment) > > auth [success=done default=ignore] pam_exec.so expose_authtok quiet > /usr/local/bin/yubikey-auth 04c21478245c36861b9f946e0d9388d5ebbb909d > d0be2dc421be4fcd0172e5afceea3970e2f3d940
Do you have anything in logs in dom0 (check `sudo journalctl -eb`)? Do you have ykchalresp installed in template of sys-usb? It's part of ykpers package. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXzdD3AAoJENuP0xzK19csyxwH/1u0FQINHo0Bs7a3uTzfi5Wl jyoknwt9vA3b0V/AMLKIfz4g7+hoEocbachW+BRNl+KAvHJ4ZcEUzyugHq0F7OO/ mGhi6f4EiF/NPYG8zNwWkvy2MGinCbuTwjI52AzYV5Wb3efk+JUyCRB0VfHgoQtl SLbRvPavN3h3LkZWdA6OHfQXHyiDJVVM9jikg4bLhFlDc4Jx3XOGB6Ocbj6F2A5X fWHEDlTvWFvud3U+nln0ALlICwlktEm4Oy99UgYnCt9QXslGW08bzSAAiVXOpKbo izjvf2F84sT2Vt5D39uGdB4/F8dy+AQS7F9Pi2En5NE4Jm5PZJD9vE3BfnS40Ic= =QeHk -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160905200926.GK13909%40mail-itl. For more options, visit https://groups.google.com/d/optout.
