Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:31 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Sat Mar 16, 2013 10:04 pm 
Offline

Joined: Sat Mar 09, 2013 5:53 am
Posts: 4
I have the following rules in /etc/udev/rules.d/90-yubikey.rules:

Code:
ACTION=="remove", ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykgone"
ACTION=="add",      ENV{ID_VENDOR}=="Yubico", RUN+="/usr/local/bin/ykhere"

The "remove" rule works great, but the "add" rule is causing problems. With the "add" rule in place, inserting the yubikey causes /usr/local/bin/ykhere to be executed many times a second, the LED on the yubikey to flash at about the same rate, and the yubikey to stop responding to button presses with an OTP token key sequence (but the OTP loss may be because /usr/local/bin/ykhere is generating so many HMAC-SHA1 challenges.)

How can I modify the "add" line so that /usr/local/bin/ykhere is only run once when the key is inserted, and the OTP button works as usual the rest of the time

This is on lubuntu 12.10, with packages yubikey-personalization 1.7.0-1, libyubikey0 1.8-1. yubikey firmware version 2.3.3.

The script /usr/local/bin/ykhere is

Code:
#!/bin/bash

if [ -n "$(lsusb | grep Yubikey)" ] ; then
    /bin/su coventry -c /usr/local/bin/unlock
fi


And /usr/local/bin/unlock is

#!/bin/bash

Code:
if [ "`~/bin/chalresp.py `" == "OK" ]; then
    pkill xscreensaver
fi


And finally, this is chalresp.py:

Code:
#!/usr/bin/python

import subprocess, os, re

recpath = os.path.expanduser('~/.ykchalresp')

chal, resp = open(recpath).read().strip().split()

def make_resp(chal):
    return subprocess.check_output(['ykchalresp', '-2', '-H', chal]
                                   ).strip()

tresp = make_resp(chal)

if tresp == resp:
    # Challenge succeeded; make a new challenge for next time
    nresp = make_resp(tresp)
    print >> open(recpath, 'w'), tresp, nresp
    print 'OK'
    exit(0)
else:
    print 'Failed'
    exit(1)


I can "fix" the problem by putting a "sleep 20" after "pkill xscreensaver" in /usr/local/bin/unlock and a "service udev restart" after calling /usr/local/bin/unlock in /usr/local/bin/ykhere. But that's kind of a horrendous abuse.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Mar 18, 2013 5:40 am 
Offline

Joined: Sat Mar 09, 2013 5:53 am
Posts: 4
"sleep 20" and "pkill xscreensaver" was proving unreliable, in that I still wasn't getting OTPs from a keypress, and the LED would occasionally start flashing again. So I've worked around it for now by replacing the "add" rule with something which tracks the state of the screensaver.

Code:
#!/bin/bash

function yubiwait() {
    while [ "`~/bin/chalresp.py 2> /dev/null`" != "OK" ] ; do sleep 0.05 ; done
    killall xscreensaver
}

( while [ /bin/true ] ; do xscreensaver-command -watch ; done ) \
    | while read a ; do
        echo $a | grep "^LOCK" && yubiwait
      done


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group