Yubico Forum
https://forum.yubico.com/

Challenge-response key format ykpersonalize vs. GUI
https://forum.yubico.com/viewtopic.php?f=30&t=2076
Page 1 of 1

Author:  gaudenz [ Tue Oct 27, 2015 12:57 am ]
Post subject:  Challenge-response key format ykpersonalize vs. GUI

I try to setup Challenge-Response Authentication for local pam_yubico usage (and keepassx and maybe even dm-crypt). I wold like to have a backup copy of the key stored on an external medium at a safe location in case my yubikey breaks. So far this all works fine. As long as I just use ykpersonalize I can recreate the same key with the -a option and if I just use yubikey-personalization-gui I can also recreate the same key by entering the same string into the appropriate GUI input field.
But while the key format looks the same in both applications if I enter the key displayed by ykpersonalize into the input field in the GUI or if I use the GUI key on the ykpersonalize command line this does not produce the same key.
Does anyone know how the keys are encoded and how the key displayed by ykpersonalize needs to be transformed to produce the same key when entered into the GUI or vice-versa.

Author:  Tom2 [ Mon Nov 02, 2015 2:05 pm ]
Post subject:  Re: Challenge-response key format ykpersonalize vs. GUI

Are you using the hmac-lt64 option ?

Author:  Tom2 [ Mon Nov 02, 2015 2:09 pm ]
Post subject:  Re: Challenge-response key format ykpersonalize vs. GUI

When this option is in effect the challenge is limited to 63 bytes, but may be less and any challenge longer than 63 bytes will be truncated to 63.

Author:  gaudenz [ Mon Nov 02, 2015 9:18 pm ]
Post subject:  Re: Challenge-response key format ykpersonalize vs. GUI

Tom2 wrote:
Are you using the hmac-lt64 option ?

Yes the hmac-lt64 is set in both cases. So no difference there. AFAIK this is needed for the pam_yubico challenge-response mode to work at all.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/