Closed shibumi closed 4 years ago
shibumi
commented
5 years ago Mh, okay, I read your README and I see in your screencast that your key icon appears while doing sudo -s.
So what did you do different?
When I do sudo -s there is no notification via yubikey-touch-detector, although the yubikey is asking for a button press.
maximbaz
commented
5 years ago Hey 👋
Interesting! It works for me because I'm personally not using HMAC on my Yubikey, I use U2F, and my sudo -s is configured via pam-u2f module as per these docs.
However I think adding support for HMAC would be quite cool, maybe I could encourage you to look into this? 😉
Here's what I did in order to add support for U2F:
pam-u2f to signal when it is waiting for a touch by opening and closing a special file (PR for reference) - I imagine yubico-pam would require a similar modification.u2f.go detector that uses inotify to watch that special file for "open" and "closed" eventsI'm not sure when I'll be able to get to do this myself for HMAC, so a PR would be very welcome 🙂
shibumi
commented
5 years ago Hi, thanks for the fast reply :)
I didn't know that pam-u2f exists, always cool to learn something new. Do you know if pam-u2f is the successor of yubico-pam? Because doing it via u2f sounds far more convenient for me. I wouldn't need to waste/configure a second slot just for this purpose. Right now, I have yubico-otp on slot 1 and hmac challenge on slot 2. With pam-u2f I guess I would just need one slot and could use slot 2 for a static password or something else.
But if you use yubico otp for u2f doesn't this mean, that you need internet access to contact the yubico OTP servers?
Do you know if waiting for a HMAC challenge is even possible? I tried using ykinfo while the yubikey waits for the HMAC challenge, but ykinfo will just prompt an error, because two operations on the same time are invalid.
I am not sure now, if I should switch over to u2f (this looks much cooler, because one slot more to use) or if I stay with HMAC.
maximbaz
commented
5 years ago Because doing it via
u2fsounds far more convenient for me. I wouldn't need to waste/configure a second slot just for this purpose. Right now, I have yubico-otp on slot 1 and hmac challenge on slot 2. With pam-u2f I guess I would just need one slot and could use slot 2 for a static password or something else.
Even better, U2F is not using OTP slots at all, in fact I have OTP functionality completely disabled on my Yubikey:
❯ lsusb
Bus 001 Device 007: ID 1050:0406 Yubico.com Yubikey 4 U2F+CCIDSo yeah, you would be able to free up your second slot!
But if you use yubico otp for u2f doesn't this mean, that you need internet access to contact the yubico OTP servers?
Because of the above, the answer is "no", otp is not involved here at all :)
Do you know if
pam-u2fis the successor ofyubico-pam?
It's definitely not a successor, in fact in 2017 those guys claimed that pam-u2f is outdated and is going to be replaced with something else, but later in 2018 they seem to have removed that statement...
Do you know if waiting for a HMAC challenge is even possible? I tried using ykinfo while the yubikey waits for the HMAC challenge, but ykinfo will just prompt an error, because two operations on the same time are invalid.
If I understand correctly what you mean, I think it will have to be a custom code in yubico-pam, it knows when it begins to wait for HMAC challenge and it knows when it receives it or times out. This was the case for U2F as well, that's why I had to go for implementing some sort of "external signal" in a form of a special file that will be opened and closed...
I am not sure now, if I should switch over to
u2f(this looks much cooler, because one slot more to use) or if I stay with HMAC.
I am using U2F for quite some time and I'm very happy with it. It seems like you can think of some ways to make use of another OTP slot if one became available, so I'd say go for it! U2F can also be used as 2FA on sites like google.com / github.com, so you will probably use this technology anyway 😉
I'll keep this issue open anyways, HMAC can be useful for some people for other non-sudo things, so it would be cool if yubikey-touch-detector could support that technology anyway 🙂
shibumi
commented
5 years ago Even better, U2F is not using OTP slots at all, in fact I have OTP functionality completely disabled on my Yubikey:
❯ lsusb Bus 001 Device 007: ID 1050:0406 Yubico.com Yubikey 4 U2F+CCIDSo yeah, you would be able to free up your second slot!
Not sure if you got what I mean, or if I just interpret your codeblock wrong, but with 'slot' I mean the slot inside of the yubikey (short press vs long press). And as far I know, the yubikey is preconfigured with OTP ob slot 1 and U2F/FIDO uses that OTP challenge (correct me, if wrong). :)
But if you use yubico otp for u2f doesn't this mean, that you need internet access to contact the yubico OTP servers?
Because of the above, the answer is "no", otp is not involved here at all :)
Looks like you have tested it, so it works without internet access. Interesting!
It's definitely not a successor, in fact in 2017 those guys claimed that
pam-u2fis outdated and is going to be replaced with something else, but later in 2018 they seem to have removed that statement...Do you know if waiting for a HMAC challenge is even possible? I tried using ykinfo while the yubikey waits for the HMAC challenge, but ykinfo will just prompt an error, because two operations on the same time are invalid.
If I understand correctly what you mean, I think it will have to be a custom code in
yubico-pam, it knows when it begins to wait for HMAC challenge and it knows when it receives it or times out. This was the case for U2F as well, that's why I had to go for implementing some sort of "external signal" in a form of a special file that will be opened and closed...
Ok, I have checked both repositories and it seems that the yubico devs stopped working on yubico-pam (last release April 2018). The pam-u2f module has the last release in 2019. I think I will move over to pam-u2f. It's far more convenient, the pam module is still maintained and I will have a slot more for configuration... yikes. I should have asked you earlier :D
I am using U2F for quite some time and I'm very happy with it. It seems like you can think of some ways to make use of another OTP slot if one became available, so I'd say go for it! U2F can also be used as 2FA on sites like google.com / github.com, so you will probably use this technology anyway
I'll keep this issue open anyways, HMAC can be useful for some people for other non-sudo things, so it would be cool if yubikey-touch-detector could support that technology anyway
Sure, I've read HMAC is still useful for certain applications.
maximbaz
commented
5 years ago And as far I know, the yubikey is preconfigured with OTP ob slot 1 and U2F/FIDO uses that OTP challenge (correct me, if wrong). :) Looks like you have tested it, so it works without internet access. Interesting!
I'm not sure myself about how it's implemented exactly, but I can definitely use Yubikey to enter sudo -s without internet access! 😄 So probably U2F/FIDO is not using that OTP challenge...
maximbaz
commented
4 years ago A couple of interesting notes:
1.5.0, now it doesn't depend on pam-u2f and can e.g. detect U2F requests in the browsers on https://webauthn.io/ - this works by watching /dev/hidraw* devices directly now. I was hoping this would also work for HMAC challenge responses but I couldn't get any events for it - maybe will inspire someone.sudo specifically, in case you have YubiKey 5, it supports FIDO2 now which allows you to additionally ask for PIN for sudo, not only touch - something to play with 🙂 It doesn't exactly work for me yet, but hopefully this will be figured out soon.shibumi
commented
4 years ago Nice, I didn't know that FIDO2 supports touch + PIN.
maximbaz
commented
4 years ago @shibumi, @myelsukov: do you guys want to test HMAC detector in 1.6.0? 🙂
myelsukov
commented
4 years ago Sure
maximbaz
commented
4 years ago Cool! 1.6.0 is a new release that already contains the change, just grab the binary from Github or your favorite distro and let me know if you can catch a buggy scenario 😉
Hi, I use HMAC challenge responses for authenticating for sudo and logins on linux. It would be cool if you could support this as well.
I wrote a blog article about HMAC challenge responses:
https://nullday.de/posts/login-via-yubikey-on-linux/