Re: yubikey OTP, xlock(1) and /var/db/yubikey/`user`.ctr permissions
On 12/06/12 00:22, Alexander Hall wrote: On 12/02/12 14:31, Andreas Bartelt wrote: Hello, I've set up yubikey OTP authentication and also want to use it for xlock(1) authentication. /var/db/yubikey has permissions 770 for root:auth. In case no `user`.ctr file exists in /var/db/yubikey at first login via yubikey, it is created automatically with permissions 644. This fails in case of xlock(1) authentication via yubikey: [from /var/log/authlog] yubikey: user test: fopen: /var/db/yubikey/test.ctr: Permission denied Changing `user`.ctr permissions to 660 for root:auth makes it work. Should 660 be the default permissions for `user`.ctr? Yeah, that makes sense. I remember having issues with xlock myself but I didn't investigate it enough it seems. Does the diff below fix your issues? yes, permissions for `user`.crt are set correctly now. Thanks, Andreas
Re: yubikey OTP, xlock(1) and /var/db/yubikey/`user`.ctr permissions
On 12/02/12 14:31, Andreas Bartelt wrote: Hello, I've set up yubikey OTP authentication and also want to use it for xlock(1) authentication. /var/db/yubikey has permissions 770 for root:auth. In case no `user`.ctr file exists in /var/db/yubikey at first login via yubikey, it is created automatically with permissions 644. This fails in case of xlock(1) authentication via yubikey: [from /var/log/authlog] yubikey: user test: fopen: /var/db/yubikey/test.ctr: Permission denied Changing `user`.ctr permissions to 660 for root:auth makes it work. Should 660 be the default permissions for `user`.ctr? Yeah, that makes sense. I remember having issues with xlock myself but I didn't investigate it enough it seems. Does the diff below fix your issues? /Alexander Index: login_yubikey.c === RCS file: /data/openbsd/cvs/src/libexec/login_yubikey/login_yubikey.c,v retrieving revision 1.4 diff -u -p -r1.4 login_yubikey.c --- login_yubikey.c 1 Feb 2012 16:07:28 - 1.4 +++ login_yubikey.c 5 Dec 2012 23:14:43 - @@ -31,6 +31,7 @@ */ #include sys/param.h +#include sys/stat.h #include sys/time.h #include sys/resource.h #include ctype.h @@ -254,6 +255,7 @@ yubikey_login(const char *username, cons } syslog(LOG_INFO, user %s: counter %u.%u %u.%u, username, ctr / 256, ctr % 256, last_ctr / 256, last_ctr % 256); + umask(S_IRWXO); if ((f = fopen(fn, w)) == NULL) { syslog(LOG_ERR, user %s: fopen: %s: %m, username, fn); return (AUTH_FAILED);
yubikey OTP, xlock(1) and /var/db/yubikey/`user`.ctr permissions
Hello, I've set up yubikey OTP authentication and also want to use it for xlock(1) authentication. /var/db/yubikey has permissions 770 for root:auth. In case no `user`.ctr file exists in /var/db/yubikey at first login via yubikey, it is created automatically with permissions 644. This fails in case of xlock(1) authentication via yubikey: [from /var/log/authlog] yubikey: user test: fopen: /var/db/yubikey/test.ctr: Permission denied Changing `user`.ctr permissions to 660 for root:auth makes it work. Should 660 be the default permissions for `user`.ctr? Best Regards Andreas