-
-
Save Joeviocoe/929ebde1066a22491bf93ccc9d6c0ba3 to your computer and use it in GitHub Desktop.
Yubikey Authentication for Qubes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# /etc/pam.d/system-auth | |
## auth [success=done default=ignore] pam_exec.so expose_authtok quiet /usr/local/bin/yubikey-auth 1a2b3c.. 4d5e6f.. | |
input="x$(head -c -0)" | |
vm='sys-usb' | |
qvm-start $vm --skip-if-running -q | |
response=$(echo -n "$input" | sg qubes "qvm-run --nogui -u root -p $vm 'ykchalresp -2 -i-'" | sha256sum | cut -d ' ' -f 1) | |
echo "yubikey: " $response | |
if [ "x$response" = "x$1" ] ; then | |
exit 0 | |
fi | |
bypasspw=$(echo -n "$input" | sha256sum | cut -d ' ' -f 1) | |
echo "sha256:" $bypasspw | |
if [ "x$bypasspw" = "x$2" ] ; then | |
exit 0 | |
fi | |
exit 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In sys-usb:
Ensure sys-usb has PCI USB controllers attached and the VM is set to auto-start.
Run
ykchalresp -2 <testchallenge>
to ensure you get a response. Edit slot number if neededIn dom0:
Copy script to /usr/local/bin/yubikey-auth
Make executable and set permissions
chmod 755 /usr/local/bin/yubikey-auth
Create hashes:
echo -n My_Yubikey_Challenge_PW | yubikey-auth
copy the "yubikey" responsehash (
<yubikeyresp>
)echo -n My_Long_Backup_Passphrase | /usr/local/bin/yubikey-auth
copy the "sha256" hash (
<bypasshash>
)*Don't use both hashes from a single command output, as that would result in the yubikey challenge working with or without the yubikey inserted.
Backup /etc/pam.d/system-auth
Edit /etc/pam.d/system-auth
Add line (with your hashes) just above existing "auth" rules
auth [success=done default=ignore] pam_exec.so expose_authtok quiet /usr/local/bin/yubikey-auth <yubikeyresp> <bypasshash>
Testing
The best way to test is on another terminal screen (ctrl-alt-f2)
since this won't lock you out of your existing session (ctrl-alt-f1)