Re: yubikey OTP, xlock(1) and /var/db/yubikey/`user`.ctr permissions

2012-12-07 Thread Andreas Bartelt 

On 12/06/12 00:22, Alexander Hall wrote:

On 12/02/12 14:31, Andreas Bartelt wrote:

Hello,

I've set up yubikey OTP authentication and also want to use it for
xlock(1) authentication.

/var/db/yubikey has permissions 770 for root:auth.

In case no `user`.ctr file exists in /var/db/yubikey at first login
via yubikey, it is created automatically with permissions 644.

This fails in case of xlock(1) authentication via yubikey: [from
/var/log/authlog] yubikey: user test: fopen:
/var/db/yubikey/test.ctr: Permission denied

Changing `user`.ctr permissions to 660 for root:auth makes it work.

Should 660 be the default permissions for `user`.ctr?


Yeah, that makes sense. I remember having issues with xlock myself
but I didn't investigate it enough it seems.

Does the diff below fix your issues?



yes, permissions for `user`.crt are set correctly now.

Thanks,
Andreas

Re: yubikey OTP, xlock(1) and /var/db/yubikey/`user`.ctr permissions

2012-12-05 Thread Alexander Hall 
On 12/02/12 14:31, Andreas Bartelt wrote:
 Hello,
 
 I've set up yubikey OTP authentication and also want to use it for 
 xlock(1) authentication.
 
 /var/db/yubikey has permissions 770 for root:auth.
 
 In case no `user`.ctr file exists in /var/db/yubikey at first login
 via yubikey, it is created automatically with permissions 644.
 
 This fails in case of xlock(1) authentication via yubikey: [from
 /var/log/authlog] yubikey: user test: fopen: 
 /var/db/yubikey/test.ctr: Permission denied
 
 Changing `user`.ctr permissions to 660 for root:auth makes it work.
 
 Should 660 be the default permissions for `user`.ctr?

Yeah, that makes sense. I remember having issues with xlock myself
but I didn't investigate it enough it seems.

Does the diff below fix your issues?

/Alexander


Index: login_yubikey.c
===
RCS file: /data/openbsd/cvs/src/libexec/login_yubikey/login_yubikey.c,v
retrieving revision 1.4
diff -u -p -r1.4 login_yubikey.c
--- login_yubikey.c 1 Feb 2012 16:07:28 -   1.4
+++ login_yubikey.c 5 Dec 2012 23:14:43 -
@@ -31,6 +31,7 @@
  */
 
 #include sys/param.h
+#include sys/stat.h
 #include sys/time.h
 #include sys/resource.h
 #include ctype.h
@@ -254,6 +255,7 @@ yubikey_login(const char *username, cons
}
syslog(LOG_INFO, user %s: counter %u.%u  %u.%u,
username, ctr / 256, ctr % 256, last_ctr / 256, last_ctr % 256);
+   umask(S_IRWXO);
if ((f = fopen(fn, w)) == NULL) {
syslog(LOG_ERR, user %s: fopen: %s: %m, username, fn);
return (AUTH_FAILED);

yubikey OTP, xlock(1) and /var/db/yubikey/`user`.ctr permissions

2012-12-02 Thread Andreas Bartelt 

Hello,

I've set up yubikey OTP authentication and also want to use it for 
xlock(1) authentication.


/var/db/yubikey has permissions 770 for root:auth.

In case no `user`.ctr file exists in /var/db/yubikey at first login via 
yubikey, it is created automatically with permissions 644.


This fails in case of xlock(1) authentication via yubikey:
[from /var/log/authlog] yubikey: user test: fopen: 
/var/db/yubikey/test.ctr: Permission denied


Changing `user`.ctr permissions to 660 for root:auth makes it work.

Should 660 be the default permissions for `user`.ctr?

Best Regards
Andreas