Skip to content

Instantly share code, notes, and snippets.

Last active Aug 28, 2018
What would you like to do?
Yubikey Authentication for Qubes
# /etc/pam.d/system-auth
## auth [success=done default=ignore] expose_authtok quiet /usr/local/bin/yubikey-auth 1a2b3c.. 4d5e6f..
input="x$(head -c -1)"
qvm-start $vm --skip-if-running -q
response=$(echo -n "$input" | qvm-run --nogui -u root -p $vm 'ykchalresp -2 -i-' | sha256sum | cut -d ' ' -f 1)
echo "yubikey: " $response
if [ "x$response" = "x$1" ] ; then
exit 0
bypasspw=$(echo -n "$input" | sha256sum | cut -d ' ' -f 1)
echo "sha256:" $bypasspw
if [ "x$bypasspw" = "x$2" ] ; then
exit 0
exit 1
Copy link

Joeviocoe commented Feb 10, 2018

In sys-usb:

  1. Install ykpers
    Ensure sys-usb has PCI USB controllers attached and the VM is set to auto-start.
    Run ykchalresp -2 <testchallenge> to ensure you get a response. Edit slot number if needed

If yubikey challenge/response not set up, initialize yubikey challenge/response slot
Warning: Do not perform initialization if this yubikey slot is used for other systems
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible

In dom0:

  1. Copy script to /usr/local/bin/yubikey-auth
    Make executable and set permissions chmod 755 /usr/local/bin/yubikey-auth

  2. Create hashes:
    echo My_Yubikey_Challenge_PW | yubikey-auth
    copy the "yubikey" responsehash (<yubikeyresp>)
    echo My_Long_Backup_Passphrase | /usr/local/bin/yubikey-auth
    copy the "sha256" hash (<bypasshash>)
    *Don't use both hashes from a single command output, as that would result in the yubikey challenge working with or without the yubikey inserted.

  3. Backup /etc/pam.d/system-auth

Recommended to make a backup as this controls all login authentication
First copy to backup file, then put command in /etc/init.d/ to revert the backup upon boot.
Remove this command only after you verify this works.

  1. Edit /etc/pam.d/system-auth
    Add line (with your hashes) just above existing "auth" rules
    auth [success=done default=ignore] expose_authtok quiet /usr/local/bin/yubikey-auth <yubikeyresp> <bypasshash>

  2. Testing
    The best way to test is on another terminal screen (ctrl-alt-f2)
    since this won't lock you out of your existing session (ctrl-alt-f1)

  • Test My_Yubikey_Challenge_PW with/without yubikey inserted
  • Test My_Long_Backup_Passphrase
  • Test blank and wrong passwords with/without yubikey inserted
  • Your existing password will still work too, hopefully that is strong too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment