Re: [qubes-users] yubikey challenge-response
2016. szeptember 6., kedd 18:39:58 UTC+1 időpontban Peter Ihasz a következőt írta: > 2016. szeptember 5., hétfő 21:09:33 UTC+1 időpontban Marek > Marczykowski-Górecki a következőt írta: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > On Mon, Sep 05, 2016 at 12:57:33PM -0700, Peter Ihasz wrote: > > > Hi! > > > > > > Unfortunately, I can't login with yubikey and yubikey linked password. > > > > > > Here is my config: > > > > > > 1, > > > yubikey linked password: apple > > > > > > echo -n "apple" | openssl dgst -sha1 > > > yubikey linked password: d0be2dc421be4fcd0172e5afceea3970e2f3d940 > > > > > > yubikey-personilization-gui > > > > > > LOGGING START,9/4/16 9:10 PM > > > Challenge-Response: HMAC-SHA1,9/4/16 9:10 > > > PM,2,,,04c21478245c36861b9f946e0d9388d5ebbb909d,,,0,0,0,0,0,0,0,0,0,1 > > > > > > usbvm name: sys-usb > > > > > > > > > 2, > > > in doom0 > > > chmod 755 yubikey-auth > > > /usr/local/bin/yubikey-auth > > > > > > #!/bin/sh > > > > > > key="$1" > > > > > > if [ -z "$key" ]; then > > > echo "Usage: $0 []" > > > exit 1 > > > fi > > > > > > # if password has given, verify it > > > if [ -n "$2" ]; then > > > # PAM appends \0 at the end > > > hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '` > > > if [ "x$2" != "x$hash" ]; then > > > exit 1 > > > fi > > > fi > > > > > > challenge=`head -c64 /dev/urandom | xxd -c 64 -ps` > > > # You may need to adjust slot number and USB VM name here > > > response=`qvm-run -u root --nogui -p sys-usb "ykchalresp -2 -x > > > $challenge"` > > > > > > correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 > > > -macopt hexkey:$key -mac HMAC -r | cut -f1 -d ' '` > > > > > > test "x$correct_response" = "x$response" > > > exit $? > > > > > > 3, > > > > > > /etc/pam.d/kscreensaver (KDE desktop environment) > > > > > > auth [success=done default=ignore] pam_exec.so expose_authtok quiet > > > /usr/local/bin/yubikey-auth 04c21478245c36861b9f946e0d9388d5ebbb909d > > > d0be2dc421be4fcd0172e5afceea3970e2f3d940 > > > > > > Do you have anything in logs in dom0 (check `sudo journalctl -eb`)? > > Do you have ykchalresp installed in template of sys-usb? It's part of > > ykpers package. > > > > - -- > > Best Regards, > > Marek Marczykowski-Górecki > > Invisible Things Lab > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > -BEGIN PGP SIGNATURE- > > Version: GnuPG v2 > > > > iQEcBAEBCAAGBQJXzdD3AAoJENuP0xzK19csyxwH/1u0FQINHo0Bs7a3uTzfi5Wl > > jyoknwt9vA3b0V/AMLKIfz4g7+hoEocbachW+BRNl+KAvHJ4ZcEUzyugHq0F7OO/ > > mGhi6f4EiF/NPYG8zNwWkvy2MGinCbuTwjI52AzYV5Wb3efk+JUyCRB0VfHgoQtl > > SLbRvPavN3h3LkZWdA6OHfQXHyiDJVVM9jikg4bLhFlDc4Jx3XOGB6Ocbj6F2A5X > > fWHEDlTvWFvud3U+nln0ALlICwlktEm4Oy99UgYnCt9QXslGW08bzSAAiVXOpKbo > > izjvf2F84sT2Vt5D39uGdB4/F8dy+AQS7F9Pi2En5NE4Jm5PZJD9vE3BfnS40Ic= > > =QeHk > > -END PGP SIGNATURE- > > > > `sudo journalctl -eb` > > Sep 06 18:33:28 dom0 kcheckpass[7948]: pam_exec(kscreensaver:auth): > execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error > Sep 06 18:33:28 dom0 kcheckpass[7946]: pam_exec(kscreensaver:auth): > /usr/local/bin/yubikey-auth failed: exit code 8 > Sep 06 18:33:28 dom0 kcheckpass[7950]: pam_exec(kscreensaver:auth): > execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error > Sep 06 18:33:28 dom0 kcheckpass[7947]: pam_exec(kscreensaver:auth): > /usr/local/bin/yubikey-auth failed: exit code 8 > Sep 06 18:33:28 dom0 unix_chkpwd[7952]: password check failed for user > (tacsk0) > Sep 06 18:33:28 dom0 kcheckpass[7946]: pam_unix(kscreensaver:auth): > authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= > rhost= user=tacsk0 > Sep 06 18:33:28 dom0 kcheckpass[7946]: Authentication failure for tacsk0 > (invoked by uid 1000) > Sep 06 18:33:28 dom0 unix_chkpwd[7953]: password check failed for user > (tacsk0) > Sep 06 18:33:28 dom0 kcheckpass[7947]: pam_unix(kscreensaver:auth): > authentication failure; logname=tacsk0 uid=1000 euid=1000
Re: [qubes-users] yubikey challenge-response
2016. szeptember 5., hétfő 21:09:33 UTC+1 időpontban Marek Marczykowski-Górecki a következőt írta: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On Mon, Sep 05, 2016 at 12:57:33PM -0700, Peter Ihasz wrote: > > Hi! > > > > Unfortunately, I can't login with yubikey and yubikey linked password. > > > > Here is my config: > > > > 1, > > yubikey linked password: apple > > > > echo -n "apple" | openssl dgst -sha1 > > yubikey linked password: d0be2dc421be4fcd0172e5afceea3970e2f3d940 > > > > yubikey-personilization-gui > > > > LOGGING START,9/4/16 9:10 PM > > Challenge-Response: HMAC-SHA1,9/4/16 9:10 > > PM,2,,,04c21478245c36861b9f946e0d9388d5ebbb909d,,,0,0,0,0,0,0,0,0,0,1 > > > > usbvm name: sys-usb > > > > > > 2, > > in doom0 > > chmod 755 yubikey-auth > > /usr/local/bin/yubikey-auth > > > > #!/bin/sh > > > > key="$1" > > > > if [ -z "$key" ]; then > > echo "Usage: $0 []" > > exit 1 > > fi > > > > # if password has given, verify it > > if [ -n "$2" ]; then > > # PAM appends \0 at the end > > hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '` > > if [ "x$2" != "x$hash" ]; then > > exit 1 > > fi > > fi > > > > challenge=`head -c64 /dev/urandom | xxd -c 64 -ps` > > # You may need to adjust slot number and USB VM name here > > response=`qvm-run -u root --nogui -p sys-usb "ykchalresp -2 -x $challenge"` > > > > correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 -macopt > > hexkey:$key -mac HMAC -r | cut -f1 -d ' '` > > > > test "x$correct_response" = "x$response" > > exit $? > > > > 3, > > > > /etc/pam.d/kscreensaver (KDE desktop environment) > > > > auth [success=done default=ignore] pam_exec.so expose_authtok quiet > > /usr/local/bin/yubikey-auth 04c21478245c36861b9f946e0d9388d5ebbb909d > > d0be2dc421be4fcd0172e5afceea3970e2f3d940 > > > Do you have anything in logs in dom0 (check `sudo journalctl -eb`)? > Do you have ykchalresp installed in template of sys-usb? It's part of > ykpers package. > > - -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJXzdD3AAoJENuP0xzK19csyxwH/1u0FQINHo0Bs7a3uTzfi5Wl > jyoknwt9vA3b0V/AMLKIfz4g7+hoEocbachW+BRNl+KAvHJ4ZcEUzyugHq0F7OO/ > mGhi6f4EiF/NPYG8zNwWkvy2MGinCbuTwjI52AzYV5Wb3efk+JUyCRB0VfHgoQtl > SLbRvPavN3h3LkZWdA6OHfQXHyiDJVVM9jikg4bLhFlDc4Jx3XOGB6Ocbj6F2A5X > fWHEDlTvWFvud3U+nln0ALlICwlktEm4Oy99UgYnCt9QXslGW08bzSAAiVXOpKbo > izjvf2F84sT2Vt5D39uGdB4/F8dy+AQS7F9Pi2En5NE4Jm5PZJD9vE3BfnS40Ic= > =QeHk > -END PGP SIGNATURE- `sudo journalctl -eb` Sep 06 18:33:28 dom0 kcheckpass[7948]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error Sep 06 18:33:28 dom0 kcheckpass[7946]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8 Sep 06 18:33:28 dom0 kcheckpass[7950]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error Sep 06 18:33:28 dom0 kcheckpass[7947]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8 Sep 06 18:33:28 dom0 unix_chkpwd[7952]: password check failed for user (tacsk0) Sep 06 18:33:28 dom0 kcheckpass[7946]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0 Sep 06 18:33:28 dom0 kcheckpass[7946]: Authentication failure for tacsk0 (invoked by uid 1000) Sep 06 18:33:28 dom0 unix_chkpwd[7953]: password check failed for user (tacsk0) Sep 06 18:33:28 dom0 kcheckpass[7947]: pam_unix(kscreensaver:auth): authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= rhost= user=tacsk0 Sep 06 18:33:28 dom0 kcheckpass[7947]: Authentication failure for tacsk0 (invoked by uid 1000) Sep 06 18:33:33 dom0 kcheckpass[7956]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error Sep 06 18:33:33 dom0 kcheckpass[7954]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8 Sep 06 18:33:33 dom0 kcheckpass[7958]: pam_exec(kscreensaver:auth): execve(/usr/local/bin/yubikey-auth,...) failed: Exec format error Sep 06 18:33:33 dom0 kcheckpass[7955]: pam_exec(kscreensaver:auth): /usr/local/bin/yubikey-auth failed: exit code 8 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/fde7cd16-caa6-48cc-bae4-47090e1f63ec%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] yubikey challenge-response
Hi! Unfortunately, I can't login with yubikey and yubikey linked password. Here is my config: 1, yubikey linked password: apple echo -n "apple" | openssl dgst -sha1 yubikey linked password: d0be2dc421be4fcd0172e5afceea3970e2f3d940 yubikey-personilization-gui LOGGING START,9/4/16 9:10 PM Challenge-Response: HMAC-SHA1,9/4/16 9:10 PM,2,,,04c21478245c36861b9f946e0d9388d5ebbb909d,,,0,0,0,0,0,0,0,0,0,1 usbvm name: sys-usb 2, in doom0 chmod 755 yubikey-auth /usr/local/bin/yubikey-auth #!/bin/sh key="$1" if [ -z "$key" ]; then echo "Usage: $0 []" exit 1 fi # if password has given, verify it if [ -n "$2" ]; then # PAM appends \0 at the end hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '` if [ "x$2" != "x$hash" ]; then exit 1 fi fi challenge=`head -c64 /dev/urandom | xxd -c 64 -ps` # You may need to adjust slot number and USB VM name here response=`qvm-run -u root --nogui -p sys-usb "ykchalresp -2 -x $challenge"` correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 -macopt hexkey:$key -mac HMAC -r | cut -f1 -d ' '` test "x$correct_response" = "x$response" exit $? 3, /etc/pam.d/kscreensaver (KDE desktop environment) auth [success=done default=ignore] pam_exec.so expose_authtok quiet /usr/local/bin/yubikey-auth 04c21478245c36861b9f946e0d9388d5ebbb909d d0be2dc421be4fcd0172e5afceea3970e2f3d940 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/404d53fa-3ed8-40e7-92df-fe399b744eb0%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
