[PATCH] Re: Using pam_yubico to validate yubikey against privacyidea

Question
1

Hallo Cornelius,

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

So the public identifier/preifx can not be the serial number…?

Yes. And what seems to have blocked my attempts until now is this in
yubikeytoken.py:

201 secret = self.token.get_otpkey()

216 msg_bin = secret.aes_decrypt(otp_bin)
217 msg_hex = binascii.hexlify(msg_bin)

229 uid = msg_hex[0:12]

What we store in table tokeninfo as yubikey.tokenid seems to be the
decrypted otp_bin (whole string). Until now I didn’t replicate that in
the search for the correct token, so no token was found.

I think it is not necessary to change the database model.
Especially not for one tokentype!

Yes, I’m convinced we don’t need to.

So I think you are right, that we need to get the enrollment straight and

This should be possible with “–yubiprefixrandom 6” as the default for
“privacyidea token yubi_mass_enroll”. A token created with the
following patch works for test in webui and /ttype/yubikey:

— yubikeytoken.py.orig 2016-03-08 21:09:14.669076518 +0100
+++ yubikeytoken.py 2016-03-10 00:03:35.966945237 +0100
@@ -252,6 +252,11 @@
tokenid = uid
self.add_tokeninfo(“yubikey.tokenid”, tokenid)

  •    prefix = self.get_tokeninfo("yubikey.prefix")

  •    if not prefix:

  •        log.debug("Got no prefix for %r. Setting to %r." % (serial, yubi_prefix))

  •        self.add_tokeninfo("yubikey.prefix", yubi_prefix)+
   if tokenid != uid:
       # wrong token!
       log.warning("The wrong token was presented for %r. Got %r, expected %r."

@@ -379,29 +384,23 @@
res = False

     token_list = []

  •    token_candidate_list = []

   # strip the yubico OTP and the PIN

  •    modhex_serial = passw[:-32][-16:]

  •    try:

  •        serialnum = "UBAM" + modhex_decode(modhex_serial)

  •    except TypeError as exx:  # pragma: no cover

  •        log.error("Failed to convert serialnumber: %r" % exx)

  •        return res, opt

  •    # build list of possible yubikey tokens

  •    serials = [serialnum]

  •    for i in range(1, 3):

  •        serials.append("%s_%s" % (serialnum, i))

  •    prefix = passw[:-32][-16:]

   from privacyidea.lib.token import get_tokens
   from privacyidea.lib.token import check_token_list

  •    for serial in serials:

  •        tokenobject_list = get_tokens(serial=serial)

  •        token_list.extend(tokenobject_list)

  •    token_candidate_list = get_tokens(tokentype='yubikey')

  •    for tokenobject in token_candidate_list:

  •        token_prefix = tokenobject.get_tokeninfo("yubikey.prefix")

  •        if prefix == token_prefix:

  •            token_list.append(tokenobject)

   if not token_list:

  •        opt['action_detail'] = ("The serial %s could not be found!" %

  •                                serialnum)

  •        opt['action_detail'] = ("The prefix %s could not be found!" %

  •                                prefix)
       return res, opt

   (res, opt) = check_token_list(token_list, passw)

find a solution that keeps the backward compatibility.

I’ll need to test this and my patch a lot more.

Now I’ll need to find out why pam_yubico fails after checking
privacyidea - but nothing for this list:

[pam_yubico.c:pam_sm_authenticate(816)] pam_yubico version: 2.21
[pam_yubico.c:pam_sm_authenticate(831)] get user returned: jochen
YubiKey for `jochen’: blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte
[pam_yubico.c:pam_sm_authenticate(982)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(1000)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(1007)] OTP: blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte ID: blnjltubrrie
[pam_yubico.c:pam_sm_authenticate(1037)] ykclient return value (0): Success
[pam_yubico.c:pam_sm_authenticate(1038)] ykclient url used: https://athene.jochen.org/ttype/yubikey?id=23453&nonce=inrehitzgpbjdibgbynngspyaqsmajri&otp=blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte&timestamp=1
[pam_yubico.c:authorize_user_token(181)] Dropping privileges
[util.c:check_user_token(151)] Authorization line: jochen:4017813:4017832:17297
[util.c:check_user_token(156)] Matched user: jochen
[util.c:check_user_token(162)] Authorization token: 4017813
[util.c:check_user_token(162)] Authorization token: 4017832
[util.c:check_user_token(162)] Authorization token: 17297
[util.c:check_user_token(162)] Authorization token: (null)
[pam_yubico.c:pam_sm_authenticate(1071)] Unauthorized token for this user

Jochen


The only problem with troubleshooting is that the trouble shoots back.

2

Now I’ll need to find out why pam_yubico fails after checking
privacyidea - but nothing for this list:

[util.c:check_user_token(151)] Authorization line:
jochen:4017813:4017832:17297
[util.c:check_user_token(156)] Matched user: jochen
[util.c:check_user_token(162)] Authorization token: 4017813
[util.c:check_user_token(162)] Authorization token: 4017832
[util.c:check_user_token(162)] Authorization token: 17297
[util.c:check_user_token(162)] Authorization token: (null)
[pam_yubico.c:pam_sm_authenticate(1071)] Unauthorized token for this
user

That was easy: just add the prefix (first twelve characters of an OTP)
to ~/.yubico/authorized_yubikeys.

JochenAm 2016-03-10 00:12, schrieb Jochen Hein:


The only problem with troubleshooting is that the trouble shoots back.