/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

document Yubikey qubes-dom0-yubikey / qubes-app-yubikey #3307

Open
adrelanos opened this Issue Nov 13, 2017 · 9 comments

Comments

Assignees

@adrelanos adrelanos

Labels
Projects
None yet
Milestone
  Ongoing
4 participants
@adrelanos @marmarek @mig5 @andrewdavidwong
@adrelanos
Member

adrelanos commented Nov 13, 2017
edited
Edited 1 time
  • @adrelanos adrelanos edited Nov 13, 2017 (most recent)

https://www.qubes-os.org/doc/yubi-key/ is out of date. https://github.com/QubesOS/qubes-app-yubikey is in Qubes repository, but undocumented. Couldn't make it work, so also cannot document it.

yubikey settings:

  • configuration slot 2
  • HMAC-SHA1
  • HMAC-SHA1 mode Variable input
  • secret key including spaces (a space after every two characters)

That secret I copied to dom0 /etc/qubes/yk-keys/yk-secret-key.hex. (Including the space every two characters.)

test "x$correct_response" = "x$response" will show different strings, hence the script fails exiting 1.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 13, 2017

Member

Looks like https://github.com/QubesOS/qubes-app-yubikey/blob/master/bin/yk-auth requires HMAC-SHA1 mode fixed 64 bit input. That works for me. HMAC-SHA1 mode Variable input does not work.
Member

adrelanos commented Nov 13, 2017

Looks like https://github.com/QubesOS/qubes-app-yubikey/blob/master/bin/yk-auth requires HMAC-SHA1 mode fixed 64 bit input. That works for me. HMAC-SHA1 mode Variable input does not work.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 13, 2017

Member

The video referenced under https://www.yubico.com/products/services-software/personalization-tools/challenge-response/ shows HMAC-SHA1 mode Variable input. So currently the documentation is wrong.

What is better anyway,HMAC-SHA1 mode fixed 64 bit input or HMAC-SHA1 mode Variable input?
Member

adrelanos commented Nov 13, 2017

The video referenced under https://www.yubico.com/products/services-software/personalization-tools/challenge-response/ shows HMAC-SHA1 mode Variable input. So currently the documentation is wrong.

What is better anyway,HMAC-SHA1 mode fixed 64 bit input or HMAC-SHA1 mode Variable input?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 13, 2017

Member
Member

marmarek commented Nov 13, 2017

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 13, 2017

Member

Note to self:
/usr/bin/yk-self
Member

adrelanos commented Nov 13, 2017

Note to self:
/usr/bin/yk-self
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 13, 2017

Member

Working on it. Pull request soon.
Member

adrelanos commented Nov 13, 2017

Working on it. Pull request soon.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 13, 2017

Member

QubesOS/qubes-doc#478
Member

adrelanos commented Nov 13, 2017

QubesOS/qubes-doc#478

@adrelanos adrelanos referenced this issue in QubesOS/qubes-doc Nov 13, 2017

Closed

document https://github.com/QubesOS/qubes-app-yubikey #478

@andrewdavidwong andrewdavidwong added C: doc task labels Nov 14, 2017

@andrewdavidwong andrewdavidwong added this to the Documentation/website milestone Nov 14, 2017

@andrewdavidwong andrewdavidwong assigned adrelanos Nov 14, 2017

@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 14, 2017

Member

//cc @mig5

I am also mentally processing these blog posts.

I doubt yubi_auth $KEY1 || yubi_auth $KEY2 is necessarily. You can just write the same HMAC-SHA1 ("AESKEY") secret into a backup yubikey? Any reason against that?

Once above pull request is merged, I might add on how to optionally set yubikey only and how to use it for login and lightdm.
Member

adrelanos commented Nov 14, 2017

//cc @mig5

I am also mentally processing these blog posts.

I doubt yubi_auth $KEY1 || yubi_auth $KEY2 is necessarily. You can just write the same HMAC-SHA1 ("AESKEY") secret into a backup yubikey? Any reason against that?

Once above pull request is merged, I might add on how to optionally set yubikey only and how to use it for login and lightdm.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Nov 16, 2017

Member

Once above pull request is merged, I might add on how to optionally set yubikey only and how to use it for login and lightdm.

Correction: It's now all documented.
Member

adrelanos commented Nov 16, 2017

Once above pull request is merged, I might add on how to optionally set yubikey only and how to use it for login and lightdm.

Correction: It's now all documented.
@mig5

This comment has been minimized.

Show comment
Hide comment
@mig5

mig5 Nov 29, 2017

@adrelanos yes you're right that you could have an exact clone of your primary yubikey, but if that yubikey is stolen or its key compromised in some way, then you can't rely on your backup either since it's identical. So you'd have to regenerate the key on the secondary rather than just revoke the key of the former in your config/script

I only blogged what works for me :) and yes as per your other issue, I use it in /etc/pam.d/xscreensaver as well as /etc/pam.d/login and /etc/pam.d/lightdm - anything less feels like backdooring yourself with single-factor auth.

Let me know if you would like copies of those files from my system to get the positioning right etc (I had varying degrees of success depending on how early the 'auth include yubico' was referenced)

mig5 commented Nov 29, 2017
edited
Edited 1 time
  • @mig5 mig5 edited Nov 29, 2017 (most recent)

@adrelanos yes you're right that you could have an exact clone of your primary yubikey, but if that yubikey is stolen or its key compromised in some way, then you can't rely on your backup either since it's identical. So you'd have to regenerate the key on the secondary rather than just revoke the key of the former in your config/script

I only blogged what works for me :) and yes as per your other issue, I use it in /etc/pam.d/xscreensaver as well as /etc/pam.d/login and /etc/pam.d/lightdm - anything less feels like backdooring yourself with single-factor auth.

Let me know if you would like copies of those files from my system to get the positioning right etc (I had varying degrees of success depending on how early the 'auth include yubico' was referenced)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment