Yubikey with yubikey-luks and privacyidea

Jochen_Hein · September 3, 2015, 8:34pm

Hello,

I’m currently evaluation different usecases for my Yubikey. Right now
I’ve set up both slots:

Slot 1: OATH-HOTP, planned usage for example for OpenVPN access. I’ve
mass_enrolled the token into pricavyidea without problems and already
used it for login.

Slot 2: Challenge-Response HMAC-SHA1, current usage is for
"pam_yubico.so mode=challenge-response" for offline systems, KeePass
with the KeeChallange plugin and (finally) LUKS. I’ve initialized the
slot with:

ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64
-oserial-api-visible -o-chal-btn-trig -oallow-update

I’ve successfully used the key for login and KeePass and now start
planning the LUKS usage. In https://github.com/cornelinux/yubikey-luks
I see that I can just use yubikey-luks-enroll and I’m set.

In the README:,----
| Manage several Yubikeys and Machines
|
| It is possible to manage several Yubikeys and machines. You need to use
| privacyIDEA to manage the Yubikeys and the privacyIDEA admin client to
| push the Yubikey responses to the LUKS slots.
`----

So I’ve looked at enrolling my pre-initialized Yubikey into privacyidea.
In

github.com

privacyidea/privacyideaadm/blob/master/doc/index.rst

.. privacyidea documentation master file, created by
   sphinx-quickstart on Tue Aug 12 15:34:53 2014.
   You can adapt this file completely to your liking, but it should at least
   contain the root `toctree` directive.

Welcome to privacyidea's documentation!
=======================================

SYNOPSIS
--------

privacyidea -U URL -a ADMIN [-p PASSWORD] COMMMAND <COMMAND-OPTIONS>


DESCRIPTON
----------
This is the command line tool for the privacyIDEA server. It can be used to do
several special actions like 

 * enrolling tokens,

This file has been truncated. show original

I see:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

I’ve used that with “filename=secrets.csv” and changed the secret:
UBOM04017xxx_2, , TOTP, 6
and imported the file into privacyidea and added the token to a machine
for the luks application. Getting the authitem gives me:

,----
| $ privacyidea -U https://pi --admin admin machine authitem --hostname host
| Please enter password for ‘admin’:
| { u’status’: True,
| u’value’: { u’luks’: [ { u’challenge’: u’86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3’,
| u’partition’: u’/dev/sda7’,
| u’response’: u’67a756e99c1432fb9d8d882b69dfd480fd32cfd6’,
| u’slot’: u’2’}]}}
`----

but a test yields a different response:

,----
| $ ykchalresp -2 86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3
| b25ef9ac537e2060c823965fdcd18566e1fc23f0
`----

So, something is wrong. I’ve also tried with a mass_enrolled yubikey,
but the actual and expected response also differ. What do I miss?

Jochen

–
The only problem with troubleshooting is that the trouble shoots back.

Jochen_Hein · September 4, 2015, 2:43pm

Hi Cornelius,

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

the challenge in the return value from privacyidea is a hex string.
The challenge, which you specify at the command line in ykchalresp is a
binary string.

I see - for the Yubikey with HMAC-SHA1 I still get different responses
to the challenges. I’ll try a Yukikey with Challenge-Response “Yubikey
OTP” later and get back to you.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

Jochen_Hein · September 4, 2015, 11:35am

citing myself…Am 2015-09-03 22:34, schrieb Jochen Hein:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R
will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

What might be useful is having the ykpersonalize command printed in
verbose mode,
so I could check how the Yubikey was initialized. I’ll see if I can find
that out.

Jochen

Jochen_Hein · September 4, 2015, 3:23pm

Cornelius Kölbel cornelius.koelbel@netknights.it writes:

the challenge in the return value from privacyidea is a hex string.
The challenge, which you specify at the command line in ykchalresp is a
binary string.

I’m not quite sure what I did differently this time, but now it works as
expected. Thanks for your help.

Jochen–
The only problem with troubleshooting is that the trouble shoots back.

cornelinux · September 4, 2015, 12:00pm

Hi Jochen,

the challenge in the return value from privacyidea is a hex string.
The challenge, which you specify at the command line in ykchalresp is a
binary string.

Look at this.

1 cornelius@puckel ~/src/privacyidea (git)-[master] % privacyidea
–nosslcheck -U https://localhost/bla --admin=admin machine authitem
–hostname localhost --application luks --challenge 30303030
Please enter password for ‘admin’:
{ u’status’: True,
u’value’: { u’luks’: [ { u’challenge’: u’30303030’,
u’partition’: u’/dev/sdb7’,
u’response’:
u’8e81666adcad08f48ace1b94bda04cd08c7f92d0’,
u’slot’: u’3’}]}}
cornelius@puckel ~/src/privacyidea (git)-[master] % ykchalresp -2 0000
8e81666adcad08f48ace1b94bda04cd08c7f92d0
cornelius@puckel ~/src/privacyidea (git)-[master] %

I forced privacyIDEA to use a challenge “30303030”, which is hex encoded
for “0000”.
When I pass this binary string 0000 to ykchalresp, I get the same
response.

Kind regards
CorneliusAm Donnerstag, den 03.09.2015, 22:34 +0200 schrieb Jochen Hein:

Hello,

I’m currently evaluation different usecases for my Yubikey. Right now
I’ve set up both slots:

Slot 1: OATH-HOTP, planned usage for example for OpenVPN access. I’ve
mass_enrolled the token into pricavyidea without problems and already
used it for login.

Slot 2: Challenge-Response HMAC-SHA1, current usage is for
“pam_yubico.so mode=challenge-response” for offline systems, KeePass
with the KeeChallange plugin and (finally) LUKS. I’ve initialized the
slot with:

ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64
-oserial-api-visible -o-chal-btn-trig -oallow-update

I’ve successfully used the key for login and KeePass and now start
planning the LUKS usage. In GitHub - cornelinux/yubikey-luks: Two factor authentication for harddisk encryption
I see that I can just use yubikey-luks-enroll and I’m set.

In the README:

,----
| Manage several Yubikeys and Machines
|
| It is possible to manage several Yubikeys and machines. You need to use
| privacyIDEA to manage the Yubikeys and the privacyIDEA admin client to
| push the Yubikey responses to the LUKS slots.
`----

So I’ve looked at enrolling my pre-initialized Yubikey into privacyidea.
In
https://github.com/privacyidea/privacyideaadm/blob/master/doc/index.rst
I see:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

I’ve used that with “filename=secrets.csv” and changed the secret:
UBOM04017xxx_2, , TOTP, 6
and imported the file into privacyidea and added the token to a machine
for the luks application. Getting the authitem gives me:

,----
| $ privacyidea -U https://pi --admin admin machine authitem --hostname host
| Please enter password for ‘admin’:
| { u’status’: True,
| u’value’: { u’luks’: [ { u’challenge’: u’86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3’,
| u’partition’: u’/dev/sda7’,
| u’response’: u’67a756e99c1432fb9d8d882b69dfd480fd32cfd6’,
| u’slot’: u’2’}]}}
`----

but a test yields a different response:

,----
| $ ykchalresp -2 86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3
| b25ef9ac537e2060c823965fdcd18566e1fc23f0
`----

So, something is wrong. I’ve also tried with a mass_enrolled yubikey,
but the actual and expected response also differ. What do I miss?

Jochen

–
The only problem with troubleshooting is that the trouble shoots back.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

cornelinux · September 4, 2015, 12:01pm

Oh see,

ykchalresp can also take a hex encoded string:

cornelius@puckel ~/src/privacyidea (git)-[master] % privacyidea
–nosslcheck -U https://localhost/bla --admin=admin machine authitem
–hostname localhost --application luks
Please enter password for ‘admin’:
{ u’status’: True,
u’value’: { u’luks’: [ { u’challenge’:
u’fbbb392958123452f9866785c4a684018000e5df8cc6ce7c6f890f0a01450a68’,
u’partition’: u’/dev/sdb7’,
u’response’:
u’851123628fe960812a1e56b5b7e95e3e865a39b2’,
u’slot’: u’3’}]}}
cornelius@puckel ~/src/privacyidea (git)-[master] % ykchalresp -2 -x
fbbb392958123452f9866785c4a684018000e5df8cc6ce7c6f890f0a01450a68
851123628fe960812a1e56b5b7e95e3e865a39b2

Kind regards
CorneliusAm Donnerstag, den 03.09.2015, 22:34 +0200 schrieb Jochen Hein:

Hello,

I’m currently evaluation different usecases for my Yubikey. Right now
I’ve set up both slots:

Slot 1: OATH-HOTP, planned usage for example for OpenVPN access. I’ve
mass_enrolled the token into pricavyidea without problems and already
used it for login.

Slot 2: Challenge-Response HMAC-SHA1, current usage is for
“pam_yubico.so mode=challenge-response” for offline systems, KeePass
with the KeeChallange plugin and (finally) LUKS. I’ve initialized the
slot with:

ykpersonalize -2 -a -ochal-resp -ochal-hmac -ohmac-lt64
-oserial-api-visible -o-chal-btn-trig -oallow-update

I’ve successfully used the key for login and KeePass and now start
planning the LUKS usage. In GitHub - cornelinux/yubikey-luks: Two factor authentication for harddisk encryption
I see that I can just use yubikey-luks-enroll and I’m set.

In the README:

,----
| Manage several Yubikeys and Machines
|
| It is possible to manage several Yubikeys and machines. You need to use
| privacyIDEA to manage the Yubikeys and the privacyIDEA admin client to
| push the Yubikey responses to the LUKS slots.
`----

So I’ve looked at enrolling my pre-initialized Yubikey into privacyidea.
In
https://github.com/privacyidea/privacyideaadm/blob/master/doc/index.rst
I see:

,----
| Enroll a Yubikey in challenge response mode
|
| privacyidea @secrets.txt token yubikey_mass_enroll --yubiCR
| --yubislot 2
|
| This will enroll the Yubikey in challenge response mode and the C/R will
| be written to slot 2. Thus the yubikey can be used for LUKS.
`----

I’ve used that with “filename=secrets.csv” and changed the secret:
UBOM04017xxx_2, , TOTP, 6
and imported the file into privacyidea and added the token to a machine
for the luks application. Getting the authitem gives me:

,----
| $ privacyidea -U https://pi --admin admin machine authitem --hostname host
| Please enter password for ‘admin’:
| { u’status’: True,
| u’value’: { u’luks’: [ { u’challenge’: u’86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3’,
| u’partition’: u’/dev/sda7’,
| u’response’: u’67a756e99c1432fb9d8d882b69dfd480fd32cfd6’,
| u’slot’: u’2’}]}}
`----

but a test yields a different response:

,----
| $ ykchalresp -2 86510411fe41efad1daa1ae9ea5d3c74852ea45fb7073e629bd1e05f909487e3
| b25ef9ac537e2060c823965fdcd18566e1fc23f0
`----

So, something is wrong. I’ve also tried with a mass_enrolled yubikey,
but the actual and expected response also differ. What do I miss?

Jochen

–
The only problem with troubleshooting is that the trouble shoots back.

–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)