Hello,
I’m currently evaluation different usecases for my Yubikey. Right now
I’ve set up both slots:
Slot 1: OATH-HOTP, planned usage for example for OpenVPN access. I’ve
mass_enrolled the token into pricavyidea without problems and already
used it for login.
Slot 2: Challenge-Response HMAC-SHA1, current usage is for
"pam_yubico.so mode=challenge-response" for offline systems, KeePass
with the KeeChallange plugin and (finally) LUKS. I’ve initialized the
slot with:
ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64
-oserial-api-visible -o-chal-btn-trig -oallow-update
I’ve successfully used the key for login and KeePass and now start
planning the LUKS usage. In https://github.com/cornelinux/yubikey-luks
I see that I can just use yubikey-luks-enroll and I’m set.
In the README:,----
| Manage several Yubikeys and Machines
|
| It is possible to manage several Yubikeys and machines. You need to use
| privacyIDEA to manage the Yubikeys and the privacyIDEA admin client to
| push the Yubikey responses to the LUKS slots.
`----
So I’ve looked at enrolling my pre-initialized Yubikey into privacyidea.
In
I see:
,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----
I’ve used that with “filename=secrets.csv” and changed the secret:
UBOM04017xxx_2, , TOTP, 6
and imported the file into privacyidea and added the token to a machine
for the luks application. Getting the authitem gives me:
,----
| $ privacyidea -U https://pi --admin admin machine authitem --hostname host
| Please enter password for ‘admin’:
| { u’status’: True,
| u’value’: { u’luks’: [ { u’challenge’: u’86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3’,
| u’partition’: u’/dev/sda7’,
| u’response’: u’67a756e99c1432fb9d8d882b69dfd480fd32cfd6’,
| u’slot’: u’2’}]}}
`----
but a test yields a different response:
,----
| $ ykchalresp -2 86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3
| b25ef9ac537e2060c823965fdcd18566e1fc23f0
`----
So, something is wrong. I’ve also tried with a mass_enrolled yubikey,
but the actual and expected response also differ. What do I miss?
Jochen
–
The only problem with troubleshooting is that the trouble shoots back.