Static password does not take into account the length #29

Closed
opened 2023-11-16 17:41:27 +08:00 by sylvainpelissier · 5 comments
sylvainpelissier commented 2023-11-16 17:41:27 +08:00 (Migrated from github.com)

It seems for static password the length is limited to 8 characters:

$ ykman otp static  1
Enter a static password: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
Slot 1 is already configured. Overwrite configuration? [y/N]: y

Then pressing the button gives only bbbbbbbb

The same happens with password generation:

$ ykman otp static --length 24 --generate 1
It seems for static password the length is limited to 8 characters: ```bash $ ykman otp static 1 Enter a static password: bbbbbbbbbbbbbbbbbbbbbbbbbbbbbb Slot 1 is already configured. Overwrite configuration? [y/N]: y ``` Then pressing the button gives only `bbbbbbbb` The same happens with password generation: ```bash $ ykman otp static --length 24 --generate 1 ```
polhenarejos commented 2023-11-17 03:17:40 +08:00 (Migrated from github.com)

It is fixed but ykman sets the SHORT_TICKET flag, which implies only the half of the password is sent. Is this happening with a Yubikey too? To me is quite strange.

It is fixed but `ykman` sets the `SHORT_TICKET` flag, which implies only the half of the password is sent. Is this happening with a Yubikey too? To me is quite strange.
sylvainpelissier commented 2023-11-18 15:35:01 +08:00 (Migrated from github.com)

For the static password mode, the full programmed password is returned. I think this option is used only for Yubico OTP: https://developers.yubico.com/yubikey-personalization/Manuals/ykpersonalize.1.html

For the static password mode, the full programmed password is returned. I think this option is used only for Yubico OTP: https://developers.yubico.com/yubikey-personalization/Manuals/ykpersonalize.1.html
polhenarejos commented 2023-11-20 16:04:23 +08:00 (Migrated from github.com)

From the ykpersonalize webpage:

short-ticket | Limit the length of the static string to max 16 digits. This flag only makes sense with the -ostatic-ticket option. When -oshort-ticket is used without -ostatic-ticket it will program the YubiKey in "scan-code mode", in this mode the key sends the contents of fixed, uid and key as raw keyboard scancodes. For example, by using the fixed string h:8b080f0f122c9a12150f079e in this mode it will send Hello World! on a qwerty keyboard. This mode sends raw scan codes, so output will differ between keyboard layouts.

and YKMAN sets by default SHORT_TICKET flag:
51a7ae438c/yubikit/yubiotp.py (L474)

        self._update_flags(CFGFLAG.SHORT_TICKET, True)

It does not set STATIC_TICKET, so I guess it is used as raw scancode mode.

When you do $ ykman otp static --length 24 --generate 1, does it return 24 chars or 12 in a Yubikey?

From the ykpersonalize webpage: ``` short-ticket | Limit the length of the static string to max 16 digits. This flag only makes sense with the -ostatic-ticket option. When -oshort-ticket is used without -ostatic-ticket it will program the YubiKey in "scan-code mode", in this mode the key sends the contents of fixed, uid and key as raw keyboard scancodes. For example, by using the fixed string h:8b080f0f122c9a12150f079e in this mode it will send Hello World! on a qwerty keyboard. This mode sends raw scan codes, so output will differ between keyboard layouts. ``` and YKMAN sets by default SHORT_TICKET flag: https://github.com/Yubico/yubikey-manager/blob/51a7ae438c923189788a1e31d3de18d452131942/yubikit/yubiotp.py#L474 ``` self._update_flags(CFGFLAG.SHORT_TICKET, True) ``` It does not set STATIC_TICKET, so I guess it is used as raw scancode mode. When you do `$ ykman otp static --length 24 --generate 1`, does it return 24 chars or 12 in a Yubikey?
sylvainpelissier commented 2023-11-21 14:58:04 +08:00 (Migrated from github.com)

It returns a 24 characters password when pressing the Yubikey. Tested on my YubiKey 5C NFC.

It returns a 24 characters password when pressing the Yubikey. Tested on my YubiKey 5C NFC.
polhenarejos commented 2023-11-21 20:51:55 +08:00 (Migrated from github.com)

Fixed in Release 5.8

Fixed in Release 5.8
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dearsky/pico-fido#29