Configuring HMAC-SHA1 Challenge-Response

The first step is to set up the Yubikey for HMAC-SHA1 Challenge-Response authentication. This can be done either with the Yubikey Personalization Tool or via the ykpersonalize command-line utility.

Using the ykpersonalize command-line utility

First, start by installing ykpers:

❯ brew install ykpers


❯ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig

Which basically means:

  • Use slot 2 (-2)
  • Set challenge-response mode (-ochal-resp)
  • Generate HMAC-SHA1 challenge responses (-ochal-hmac)
  • Calculate HMAC on less than 64 bytes input (-ohmac-lt64)
  • The Yubikey will allow its serial number to be read using an API call (-oserial-api-visible). -
Using the Yubikey Personalization Tool
  1. Plug in your Yubikey
  2. Click Challenge-Response
  3. Select HMAC-SHA1 mode
  4. Choose Configuration Slot 2
  5. Select Require user input (button press)
  6. Select Variable input as HMAC-SHA1 mode
  7. Click Write Configuration and don't save any logging file as it exposes the secret key written to the Yubikey
Generating the initial challenge

Install pam_yubico:

❯ brew install pam_yubico
❯ mkdir -m0700 -p ~/.yubico

Generate the initial challenge request:

❯ ykpamcfg -2
Enable Challenge-Response authentication module

Confirm the file exists to avoid being locked out of sudo:

test -e /usr/local/opt/pam_yubico/lib/security/ && echo "File exists, you may proceed."

Start a new shell session with sudo just to make sure you can still find your way out in case there is an error with the PAM file.

Then edit /etc/pam.d/sudo on another shell session and add the following line as the first one:

auth       required     /usr/local/opt/pam_yubico/lib/security/ mode=challenge-response

Confirm you need to touch the Yubikey by running the following command on a new shell session:

❯ sudo -l

Notice that you will actually need to touch the Yubikey twice - one to verify the current challenge on file and another to generate a new challenge-response on success.

results matching ""

    No results matching ""