Yubikey with yubikey-luks and privacyidea

Hello,

I’m currently evaluation different usecases for my Yubikey. Right now
I’ve set up both slots:

Slot 1: OATH-HOTP, planned usage for example for OpenVPN access. I’ve
mass_enrolled the token into pricavyidea without problems and already
used it for login.

Slot 2: Challenge-Response HMAC-SHA1, current usage is for
"pam_yubico.so mode=challenge-response" for offline systems, KeePass
with the KeeChallange plugin and (finally) LUKS. I’ve initialized the
slot with:

ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64
-oserial-api-visible -o-chal-btn-trig -oallow-update

I’ve successfully used the key for login and KeePass and now start
planning the LUKS usage. In https://github.com/cornelinux/yubikey-luks
I see that I can just use yubikey-luks-enroll and I’m set.

In the README:,----
| Manage several Yubikeys and Machines
|
| It is possible to manage several Yubikeys and machines. You need to use
| privacyIDEA to manage the Yubikeys and the privacyIDEA admin client to
| push the Yubikey responses to the LUKS slots.
`----

So I’ve looked at enrolling my pre-initialized Yubikey into privacyidea.
In


I see:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

I’ve used that with “filename=secrets.csv” and changed the secret:
UBOM04017xxx_2, , TOTP, 6
and imported the file into privacyidea and added the token to a machine
for the luks application. Getting the authitem gives me:

,----
| $ privacyidea -U https://pi --admin admin machine authitem --hostname host
| Please enter password for ‘admin’:
| { u’status’: True,
| u’value’: { u’luks’: [ { u’challenge’: u’86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3’,
| u’partition’: u’/dev/sda7’,
| u’response’: u’67a756e99c1432fb9d8d882b69dfd480fd32cfd6’,
| u’slot’: u’2’}]}}
`----

but a test yields a different response:

,----
| $ ykchalresp -2 86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3
| b25ef9ac537e2060c823965fdcd18566e1fc23f0
`----

So, something is wrong. I’ve also tried with a mass_enrolled yubikey,
but the actual and expected response also differ. What do I miss?

Jochen


The only problem with troubleshooting is that the trouble shoots back.

Hi Cornelius,

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

the challenge in the return value from privacyidea is a hex string.
The challenge, which you specify at the command line in ykchalresp is a
binary string.

I see - for the Yubikey with HMAC-SHA1 I still get different responses
to the challenges. I’ll try a Yukikey with Challenge-Response “Yubikey
OTP” later and get back to you.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

citing myself…Am 2015-09-03 22:34, schrieb Jochen Hein:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R
will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

What might be useful is having the ykpersonalize command printed in
verbose mode,
so I could check how the Yubikey was initialized. I’ll see if I can find
that out.

Jochen

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

the challenge in the return value from privacyidea is a hex string.
The challenge, which you specify at the command line in ykchalresp is a
binary string.

I’m not quite sure what I did differently this time, but now it works as
expected. Thanks for your help.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Hi Jochen,

the challenge in the return value from privacyidea is a hex string.
The challenge, which you specify at the command line in ykchalresp is a
binary string.

Look at this.

1 cornelius@puckel ~/src/privacyidea (git)-[master] % privacyidea
–nosslcheck -U https://localhost/bla --admin=admin machine authitem
–hostname localhost --application luks --challenge 30303030
Please enter password for ‘admin’:
{ u’status’: True,
u’value’: { u’luks’: [ { u’challenge’: u’30303030’,
u’partition’: u’/dev/sdb7’,
u’response’:
u’8e81666adcad08f48ace1b94bda04cd08c7f92d0’,
u’slot’: u’3’}]}}
cornelius@puckel ~/src/privacyidea (git)-[master] % ykchalresp -2 0000
8e81666adcad08f48ace1b94bda04cd08c7f92d0
cornelius@puckel ~/src/privacyidea (git)-[master] %

I forced privacyIDEA to use a challenge “30303030”, which is hex encoded
for “0000”.
When I pass this binary string 0000 to ykchalresp, I get the same
response.

Kind regards
CorneliusAm Donnerstag, den 03.09.2015, 22:34 +0200 schrieb Jochen Hein:

Hello,

I’m currently evaluation different usecases for my Yubikey. Right now
I’ve set up both slots:

Slot 1: OATH-HOTP, planned usage for example for OpenVPN access. I’ve
mass_enrolled the token into pricavyidea without problems and already
used it for login.

Slot 2: Challenge-Response HMAC-SHA1, current usage is for
“pam_yubico.so mode=challenge-response” for offline systems, KeePass
with the KeeChallange plugin and (finally) LUKS. I’ve initialized the
slot with:

ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64
-oserial-api-visible -o-chal-btn-trig -oallow-update

I’ve successfully used the key for login and KeePass and now start
planning the LUKS usage. In https://github.com/cornelinux/yubikey-luks
I see that I can just use yubikey-luks-enroll and I’m set.

In the README:

,----
| Manage several Yubikeys and Machines
|
| It is possible to manage several Yubikeys and machines. You need to use
| privacyIDEA to manage the Yubikeys and the privacyIDEA admin client to
| push the Yubikey responses to the LUKS slots.
`----

So I’ve looked at enrolling my pre-initialized Yubikey into privacyidea.
In
https://github.com/privacyidea/privacyideaadm/blob/master/doc/index.rst
I see:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

I’ve used that with “filename=secrets.csv” and changed the secret:
UBOM04017xxx_2, , TOTP, 6
and imported the file into privacyidea and added the token to a machine
for the luks application. Getting the authitem gives me:

,----
| $ privacyidea -U https://pi --admin admin machine authitem --hostname host
| Please enter password for ‘admin’:
| { u’status’: True,
| u’value’: { u’luks’: [ { u’challenge’: u’86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3’,
| u’partition’: u’/dev/sda7’,
| u’response’: u’67a756e99c1432fb9d8d882b69dfd480fd32cfd6’,
| u’slot’: u’2’}]}}
`----

but a test yields a different response:

,----
| $ ykchalresp -2 86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3
| b25ef9ac537e2060c823965fdcd18566e1fc23f0
`----

So, something is wrong. I’ve also tried with a mass_enrolled yubikey,
but the actual and expected response also differ. What do I miss?

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Oh see,

ykchalresp can also take a hex encoded string:

cornelius@puckel ~/src/privacyidea (git)-[master] % privacyidea
–nosslcheck -U https://localhost/bla --admin=admin machine authitem
–hostname localhost --application luks
Please enter password for ‘admin’:
{ u’status’: True,
u’value’: { u’luks’: [ { u’challenge’:
u’fbbb392958123452f9866785c4a684018000e5df8cc6ce7c6f890f0a01450a68’,
u’partition’: u’/dev/sdb7’,
u’response’:
u’851123628fe960812a1e56b5b7e95e3e865a39b2’,
u’slot’: u’3’}]}}
cornelius@puckel ~/src/privacyidea (git)-[master] % ykchalresp -2 -x
fbbb392958123452f9866785c4a684018000e5df8cc6ce7c6f890f0a01450a68
851123628fe960812a1e56b5b7e95e3e865a39b2

Kind regards
CorneliusAm Donnerstag, den 03.09.2015, 22:34 +0200 schrieb Jochen Hein:

Hello,

I’m currently evaluation different usecases for my Yubikey. Right now
I’ve set up both slots:

Slot 1: OATH-HOTP, planned usage for example for OpenVPN access. I’ve
mass_enrolled the token into pricavyidea without problems and already
used it for login.

Slot 2: Challenge-Response HMAC-SHA1, current usage is for
“pam_yubico.so mode=challenge-response” for offline systems, KeePass
with the KeeChallange plugin and (finally) LUKS. I’ve initialized the
slot with:

ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64
-oserial-api-visible -o-chal-btn-trig -oallow-update

I’ve successfully used the key for login and KeePass and now start
planning the LUKS usage. In https://github.com/cornelinux/yubikey-luks
I see that I can just use yubikey-luks-enroll and I’m set.

In the README:

,----
| Manage several Yubikeys and Machines
|
| It is possible to manage several Yubikeys and machines. You need to use
| privacyIDEA to manage the Yubikeys and the privacyIDEA admin client to
| push the Yubikey responses to the LUKS slots.
`----

So I’ve looked at enrolling my pre-initialized Yubikey into privacyidea.
In
https://github.com/privacyidea/privacyideaadm/blob/master/doc/index.rst
I see:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

I’ve used that with “filename=secrets.csv” and changed the secret:
UBOM04017xxx_2, , TOTP, 6
and imported the file into privacyidea and added the token to a machine
for the luks application. Getting the authitem gives me:

,----
| $ privacyidea -U https://pi --admin admin machine authitem --hostname host
| Please enter password for ‘admin’:
| { u’status’: True,
| u’value’: { u’luks’: [ { u’challenge’: u’86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3’,
| u’partition’: u’/dev/sda7’,
| u’response’: u’67a756e99c1432fb9d8d882b69dfd480fd32cfd6’,
| u’slot’: u’2’}]}}
`----

but a test yields a different response:

,----
| $ ykchalresp -2 86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3
| b25ef9ac537e2060c823965fdcd18566e1fc23f0
`----

So, something is wrong. I’ve also tried with a mass_enrolled yubikey,
but the actual and expected response also differ. What do I miss?

Jochen


The only problem with troubleshooting is that the trouble shoots back.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)