Was chosen for the KeePassXC YubiKey support because it provides aĭeterminstic response without, eg, needing to reliably track counters Secret with a challenge token to create a response token. KeePassXC YubiKey support is via the YubiKey HMAC-SHA1Ĭhallenge-Response authentication, where the YubiKey mixes a shared I think Kousha is asking why use either Static Password or Challenge-Response. They are pared down versions of things that worked for me, at least. I cannot attest to the portability of the above command and the above script. Openssl dgst -sha1 -mac HMAC -macopt "hexkey:$HMACSHA1_key" -binary | The following script prompts for the Secret Key and challenge without displaying them, and then outputs the Password Hash Yubikey response. (I'd be happy to learn if anyone has knowledge about this.) You could at least hide the typed characters using stty. If possible, you might want to write a temporary Secret Key onto the Yubikey and use a challenge other than your real password for the verification-I am not familiar with how computers store variables or other related security issues. Openssl dgst -sha1 -mac HMAC -macopt "hexkey:$key" -binary | In short, on a Linux computer, if key stores the Secret Key in hexadecimal form with 40 hexits and message stores the challenge, then the following command should return the Password Safe Yubikey response: printf $message | (Essentially, one has to insert a null byte between every original byte in the challenge.) In addition, Yubikey challenges get parsed. (I wanted to provide the following code to help the poster at Password Safe on Source Forge, but I do not have an account to do so.) Password Safe Yubikey Responses from the Secret KeyĪ Yubikey response may be generated in a straightforward manner with HMAC-SHA1 and the Yubikey's secret key, but generating the Password Safe Yubikey response is a bit more involved because of null characters and operating system incompatibilities. I have confirmed that is correct: the Yubikey response simply becomes the static password.
I do not specifically resolve any of the original questions here concerning the purpose of Yubikey with Password Safe, but I think the experiment I performed can shed some light on the situation.
0 kommentar(er)
