-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Tue, Sep 06, 2016 at 12:34:49PM -0700, Peter Ihasz wrote: > 2016. szeptember 6., kedd 18:39:58 UTC+1 időpontban Peter Ihasz a következőt > írta: > > 2016. szeptember 5., hétfő 21:09:33 UTC+1 időpontban Marek > > Marczykowski-Górecki a következőt írta: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA256 > > > > > > On Mon, Sep 05, 2016 at 12:57:33PM -0700, Peter Ihasz wrote: > > > > Hi! > > > > > > > > Unfortunately, I can't login with yubikey and yubikey linked password. > > > > > > > > Here is my config: > > > > > > > > 1, > > > > yubikey linked password: apple > > > > > > > > echo -n "apple" | openssl dgst -sha1 > > > > yubikey linked password: d0be2dc421be4fcd0172e5afceea3970e2f3d940 > > > > > > > > yubikey-personilization-gui > > > > > > > > LOGGING START,9/4/16 9:10 PM > > > > Challenge-Response: HMAC-SHA1,9/4/16 9:10 > > > > PM,2,,,04c21478245c36861b9f946e0d9388d5ebbb909d,,,0,0,0,0,0,0,0,0,0,1 > > > > > > > > usbvm name: sys-usb > > > > > > > > > > > > 2, > > > > in doom0 > > > > chmod 755 yubikey-auth > > > > /usr/local/bin/yubikey-auth > > > > > > > > #!/bin/sh > > > > > > > > key="$1" > > > > > > > > if [ -z "$key" ]; then > > > > echo "Usage: $0 <AESKEY> [<PASSWORD-HASH>]" > > > > exit 1 > > > > fi > > > > > > > > # if password has given, verify it > > > > if [ -n "$2" ]; then > > > > # PAM appends \0 at the end > > > > hash=`head -c -1 | openssl dgst -sha1 -r | cut -f1 -d ' '` > > > > if [ "x$2" != "x$hash" ]; then > > > > exit 1 > > > > fi > > > > fi > > > > > > > > challenge=`head -c64 /dev/urandom | xxd -c 64 -ps` > > > > # You may need to adjust slot number and USB VM name here > > > > response=`qvm-run -u root --nogui -p sys-usb "ykchalresp -2 -x > > > > $challenge"` > > > > > > > > correct_response=`echo $challenge | xxd -r -ps | openssl dgst -sha1 > > > > -macopt hexkey:$key -mac HMAC -r | cut -f1 -d ' '` > > > > > > > > test "x$correct_response" = "x$response" > > > > exit $? > > > > > > > > 3, > > > > > > > > /etc/pam.d/kscreensaver (KDE desktop environment) > > > > > > > > auth [success=done default=ignore] pam_exec.so expose_authtok quiet > > > > /usr/local/bin/yubikey-auth 04c21478245c36861b9f946e0d9388d5ebbb909d > > > > d0be2dc421be4fcd0172e5afceea3970e2f3d940 > > >
(...) > But I have got a new.... > > Sep 06 20:22:53 dom0 kcheckpass[8777]: pam_exec(kscreensaver:auth): > /usr/local/bin/yubikey-auth failed: exit code 2 > Sep 06 20:22:53 dom0 kcheckpass[8776]: pam_exec(kscreensaver:auth): > /usr/local/bin/yubikey-auth failed: exit code 2 > Sep 06 20:22:53 dom0 unix_chkpwd[8809]: password check failed for user > (tacsk0) > Sep 06 20:22:53 dom0 kcheckpass[8777]: pam_unix(kscreensaver:auth): > authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= > rhost= user=tacsk0 > Sep 06 20:22:53 dom0 kcheckpass[8777]: Authentication failure for tacsk0 > (invoked by uid 1000) > Sep 06 20:22:53 dom0 unix_chkpwd[8808]: password check failed for user > (tacsk0) > Sep 06 20:22:53 dom0 kcheckpass[8776]: pam_unix(kscreensaver:auth): > authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= > rhost= user=tacsk0 > Sep 06 20:22:53 dom0 kcheckpass[8776]: Authentication failure for tacsk0 > (invoked by uid 1000) > Sep 06 20:22:59 dom0 kcheckpass[8815]: pam_exec(kscreensaver:auth): > /usr/local/bin/yubikey-auth failed: exit code 2 > Sep 06 20:22:59 dom0 unix_chkpwd[8846]: password check failed for user > (tacsk0) > Sep 06 20:22:59 dom0 kcheckpass[8815]: pam_unix(kscreensaver:auth): > authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= > rhost= user=tacsk0 > Sep 06 20:22:59 dom0 kcheckpass[8815]: Authentication failure for tacsk0 > (invoked by uid 1000) > Sep 06 20:23:06 dom0 kcheckpass[8847]: pam_exec(kscreensaver:auth): > /usr/local/bin/yubikey-auth failed: exit code 1 > Sep 06 20:23:14 dom0 kcheckpass[8816]: pam_exec(kscreensaver:auth): > /usr/local/bin/yubikey-auth failed: exit code 2 > Sep 06 20:23:14 dom0 unix_chkpwd[8858]: password check failed for user > (tacsk0) > Sep 06 20:23:14 dom0 kcheckpass[8816]: pam_unix(kscreensaver:auth): > authentication failure; logname=tacsk0 uid=1000 euid=1000 tty=:0 ruser= > rhost= user=tacsk0 > Sep 06 20:23:14 dom0 kcheckpass[8816]: Authentication failure for tacsk0 > (invoked by uid 1000) > Sep 06 20:23:17 dom0 sudo[8865]: tacsk0 : TTY=pts/6 ; PWD=/usr/local/bin ; > USER=root ; COMMAND=/bin/journalctl -eb I don't see how that script could fail with code 2... Anyway try to remove "quiet" option to see more details. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJXz0V+AAoJENuP0xzK19csTwIH/21r2Nm1SzU333oinnx0g/ku ZzpxJjq512zKfn4ICGrju4WfpMJLDQUwnGN/2jgm04DUJyqW9zA8ASbYCvhQss6f 5irazSOZjoU+1+xunq2FXRRPA6Llf5jbDOfeCuPWAGvba/FE5HhH9nYEMoSG9O0F i3S+kJ35WKQG+v+UpxmkZ7jkeM/Y7/0Rczz8SjLzSWdbxm4AM2BXX/62oQn+CMWk f3FRqt+COoyGeDRGPOwhE4/OXp6zKrqDQIsjiyWz0bX8xwmD8u0oJGzAyokyoQp2 oS0IjC01hvyAdEcWPRIR69vxYVdmc9px+9JjIOGYnQ1oEXJN6VoIKb2IdT79Oi0= =LWTJ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160906223853.GA13909%40mail-itl. For more options, visit https://groups.google.com/d/optout.
