[PATCH] Re: Using pam_yubico to validate yubikey against privacyidea

Hallo Cornelius,

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

So the public identifier/preifx can not be the serial number…?

Yes. And what seems to have blocked my attempts until now is this in
yubikeytoken.py:

201 secret = self.token.get_otpkey()

216 msg_bin = secret.aes_decrypt(otp_bin)
217 msg_hex = binascii.hexlify(msg_bin)

229 uid = msg_hex[0:12]

What we store in table tokeninfo as yubikey.tokenid seems to be the
decrypted otp_bin (whole string). Until now I didn’t replicate that in
the search for the correct token, so no token was found.

I think it is not necessary to change the database model.
Especially not for one tokentype!

Yes, I’m convinced we don’t need to.

So I think you are right, that we need to get the enrollment straight and

This should be possible with “–yubiprefixrandom 6” as the default for
"privacyidea token yubi_mass_enroll". A token created with the
following patch works for test in webui and /ttype/yubikey:

— yubikeytoken.py.orig 2016-03-08 21:09:14.669076518 +0100
+++ yubikeytoken.py 2016-03-10 00:03:35.966945237 +0100
@@ -252,6 +252,11 @@
tokenid = uid
self.add_tokeninfo(“yubikey.tokenid”, tokenid)

  •    prefix = self.get_tokeninfo("yubikey.prefix")
    
  •    if not prefix:
    
  •        log.debug("Got no prefix for %r. Setting to %r." % (serial, yubi_prefix))
    
  •        self.add_tokeninfo("yubikey.prefix", yubi_prefix)+
       if tokenid != uid:
           # wrong token!
           log.warning("The wrong token was presented for %r. Got %r, expected %r."
    

@@ -379,29 +384,23 @@
res = False

     token_list = []
  •    token_candidate_list = []
    
       # strip the yubico OTP and the PIN
    
  •    modhex_serial = passw[:-32][-16:]
    
  •    try:
    
  •        serialnum = "UBAM" + modhex_decode(modhex_serial)
    
  •    except TypeError as exx:  # pragma: no cover
    
  •        log.error("Failed to convert serialnumber: %r" % exx)
    
  •        return res, opt
    
  •    # build list of possible yubikey tokens
    
  •    serials = [serialnum]
    
  •    for i in range(1, 3):
    
  •        serials.append("%s_%s" % (serialnum, i))
    
  •    prefix = passw[:-32][-16:]
    
       from privacyidea.lib.token import get_tokens
       from privacyidea.lib.token import check_token_list
    
  •    for serial in serials:
    
  •        tokenobject_list = get_tokens(serial=serial)
    
  •        token_list.extend(tokenobject_list)
    
  •    token_candidate_list = get_tokens(tokentype='yubikey')
    
  •    for tokenobject in token_candidate_list:
    
  •        token_prefix = tokenobject.get_tokeninfo("yubikey.prefix")
    
  •        if prefix == token_prefix:
    
  •            token_list.append(tokenobject)
    
       if not token_list:
    
  •        opt['action_detail'] = ("The serial %s could not be found!" %
    
  •                                serialnum)
    
  •        opt['action_detail'] = ("The prefix %s could not be found!" %
    
  •                                prefix)
           return res, opt
    
       (res, opt) = check_token_list(token_list, passw)
    

find a solution that keeps the backward compatibility.

I’ll need to test this and my patch a lot more.

Now I’ll need to find out why pam_yubico fails after checking
privacyidea - but nothing for this list:

[pam_yubico.c:pam_sm_authenticate(816)] pam_yubico version: 2.21
[pam_yubico.c:pam_sm_authenticate(831)] get user returned: jochen
YubiKey for `jochen’: blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte
[pam_yubico.c:pam_sm_authenticate(982)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(1000)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(1007)] OTP: blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte ID: blnjltubrrie
[pam_yubico.c:pam_sm_authenticate(1037)] ykclient return value (0): Success
[pam_yubico.c:pam_sm_authenticate(1038)] ykclient url used: https://athene.jochen.org/ttype/yubikey?id=23453&nonce=inrehitzgpbjdibgbynngspyaqsmajri&otp=blnjltubrriegdilgvdjifvrjgnnnfflijhnvugecvte&timestamp=1
[pam_yubico.c:authorize_user_token(181)] Dropping privileges
[util.c:check_user_token(151)] Authorization line: jochen:4017813:4017832:17297
[util.c:check_user_token(156)] Matched user: jochen
[util.c:check_user_token(162)] Authorization token: 4017813
[util.c:check_user_token(162)] Authorization token: 4017832
[util.c:check_user_token(162)] Authorization token: 17297
[util.c:check_user_token(162)] Authorization token: (null)
[pam_yubico.c:pam_sm_authenticate(1071)] Unauthorized token for this user

Jochen


The only problem with troubleshooting is that the trouble shoots back.

Now I’ll need to find out why pam_yubico fails after checking
privacyidea - but nothing for this list:

[util.c:check_user_token(151)] Authorization line:
jochen:4017813:4017832:17297
[util.c:check_user_token(156)] Matched user: jochen
[util.c:check_user_token(162)] Authorization token: 4017813
[util.c:check_user_token(162)] Authorization token: 4017832
[util.c:check_user_token(162)] Authorization token: 17297
[util.c:check_user_token(162)] Authorization token: (null)
[pam_yubico.c:pam_sm_authenticate(1071)] Unauthorized token for this
user

That was easy: just add the prefix (first twelve characters of an OTP)
to ~/.yubico/authorized_yubikeys.

JochenAm 2016-03-10 00:12, schrieb Jochen Hein:


The only problem with troubleshooting is that the trouble shoots back.