Hallo Cornelius,
Cornelius Kölbel cornelius.koelbel@netknights.it writes:
So the public identifier/preifx can not be the serial number…?
Yes. And what seems to have blocked my attempts until now is this in
yubikeytoken.py:
201 secret = self.token.get_otpkey()
…
216 msg_bin = secret.aes_decrypt(otp_bin)
217 msg_hex = binascii.hexlify(msg_bin)
…
229 uid = msg_hex[0:12]
What we store in table tokeninfo as yubikey.tokenid seems to be the
decrypted otp_bin (whole string). Until now I didn’t replicate that in
the search for the correct token, so no token was found.
I think it is not necessary to change the database model.
Especially not for one tokentype!
Yes, I’m convinced we don’t need to.
So I think you are right, that we need to get the enrollment straight and
This should be possible with “–yubiprefixrandom 6” as the default for
“privacyidea token yubi_mass_enroll”. A token created with the
following patch works for test in webui and /ttype/yubikey:
— yubikeytoken.py.orig 2016-03-08 21:09:14.669076518 +0100
+++ yubikeytoken.py 2016-03-10 00:03:35.966945237 +0100
@@ -252,6 +252,11 @@
tokenid = uid
self.add_tokeninfo(“yubikey.tokenid”, tokenid)
-
prefix = self.get_tokeninfo("yubikey.prefix")
-
if not prefix:
-
log.debug("Got no prefix for %r. Setting to %r." % (serial, yubi_prefix))
-
self.add_tokeninfo("yubikey.prefix", yubi_prefix)+ if tokenid != uid: # wrong token! log.warning("The wrong token was presented for %r. Got %r, expected %r."
@@ -379,29 +384,23 @@
res = False
token_list = []
-
token_candidate_list = [] # strip the yubico OTP and the PIN
-
modhex_serial = passw[:-32][-16:]
-
try:
-
serialnum = "UBAM" + modhex_decode(modhex_serial)
-
except TypeError as exx: # pragma: no cover
-
log.error("Failed to convert serialnumber: %r" % exx)
-
return res, opt
-
# build list of possible yubikey tokens
-
serials = [serialnum]
-
for i in range(1, 3):
-
serials.append("%s_%s" % (serialnum, i))
-
prefix = passw[:-32][-16:] from privacyidea.lib.token import get_tokens from privacyidea.lib.token import check_token_list
-
for serial in serials:
-
tokenobject_list = get_tokens(serial=serial)
-
token_list.extend(tokenobject_list)
-
token_candidate_list = get_tokens(tokentype='yubikey')
-
for tokenobject in token_candidate_list:
-
token_prefix = tokenobject.get_tokeninfo("yubikey.prefix")
-
if prefix == token_prefix:
-
token_list.append(tokenobject) if not token_list:
-
opt['action_detail'] = ("The serial %s could not be found!" %
-
serialnum)
-
opt['action_detail'] = ("The prefix %s could not be found!" %
-
prefix) return res, opt (res, opt) = check_token_list(token_list, passw)
find a solution that keeps the backward compatibility.
I’ll need to test this and my patch a lot more.
Now I’ll need to find out why pam_yubico fails after checking
privacyidea - but nothing for this list:
[pam_yubico.c:pam_sm_authenticate(816)] pam_yubico version: 2.21
[pam_yubico.c:pam_sm_authenticate(831)] get user returned: jochen
YubiKey for `jochen’: blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte
[pam_yubico.c:pam_sm_authenticate(982)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(1000)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(1007)] OTP: blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte ID: blnjltubrrie
[pam_yubico.c:pam_sm_authenticate(1037)] ykclient return value (0): Success
[pam_yubico.c:pam_sm_authenticate(1038)] ykclient url used: https://athene.jochen.org/ttype/yubikey?id=23453&nonce=inrehitzgpbjdibgbynngspyaqsmajri&otp=blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte×tamp=1
[pam_yubico.c:authorize_user_token(181)] Dropping privileges
[util.c:check_user_token(151)] Authorization line: jochen:4017813:4017832:17297
[util.c:check_user_token(156)] Matched user: jochen
[util.c:check_user_token(162)] Authorization token: 4017813
[util.c:check_user_token(162)] Authorization token: 4017832
[util.c:check_user_token(162)] Authorization token: 17297
[util.c:check_user_token(162)] Authorization token: (null)
[pam_yubico.c:pam_sm_authenticate(1071)] Unauthorized token for this user
Jochen
–
The only problem with troubleshooting is that the trouble shoots back.