Can't configure the challenge-response with onlykey-cli

I would like to use my OnlyKey as a replacement for my two YubiKey. I use the challenge-response to unlock my KeePassXC database. I can’t set my OnlyKey. I followed this tuto:
https://docs.crp.to/usersguide.html#challenge-response

I generate my key:

$ openssl rand -hex 20
182513a847928f253b363983d4d8b269b1ddecb1

I configure my yubikey with my two key:

ykpersonalize -1 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible -ochal-btn-trig -a{MYKEY}
Firmware version 5.2.4 Touch level 1281 Program sequence 1
Configuration data to be written to key configuration 1:

fixed: m:
uid: n/a
key: h:182513a847928f253b363983d4d8b269b1ddecb1
acc_code: h:000000000000
OATH IMF: h:0
ticket_flags: CHAL_RESP
config_flags: CHAL_HMAC|HMAC_LT64|CHAL_BTN_TRIG
extended_flags: SERIAL_API_VISIBLE

Commit? (y/n) [n]: y

And now, I configure my OnlyKey (it is in config mode):

onlykey-cli setkey 130 9 {MYKEY}

But I have no feedback from the command line. In the tutorial, there is as return:

Successfully set ECC Key

When I test my OnlyKey in KeePassXC, I can’t open my db unlike with my two YubiKey.

Does anyone have an idea?

Is your yubikey personalization tool app set to hmac-sh1 variable input?

so in the onlykey-cli app you typed setkey 130 9 yourcodehere?
If so what you need to do is this, type setkey 130 9 then when “Password/Key:” shows type your challenge responce code in with no spaces. (it worked on for me with my 2x Yubikeys and OnlyKey)

(unrelated but you can’t set a challenge responce for keepass with keechallenge, as it uses fixed code)

Yes I set hmac-sh1 variable input in my Yubikey. I think it’s -ohmac-lt64 as a parameter to pass to ykpersonalize. But I can test after with yubikey personalization tool app.

I tested 2 solutions to program with onlykey-cli. In interactive mode:

$ onlykey-cli
OnlyKey CLI v1.2.4
Control-D to exit.
OnlyKey> setkey 130 9
Type Control-T to toggle password visible.
Password/Key: ********************

and with cli:

$ onlykey-cli setkey 130 9 MYKEY

But these two commands do not return the tutorial confirmation:

Successfully set ECC Key

I also tested with onlykey-app:
Advenced > Add private key

Type: HMACSHA1
Slot: HMAC 1 (130)
Key: MYKEY with 20 bytes hex

And I have this error:

ECC Key must be 64 characters.

I use this version:

$ onlykey-cli version
OnlyKey CLI v1.2.4

$ onlykey-cli fwversion
v2.1.0-prodc

Holeoe, thank you for your answer, I hope to succeed.

I think either my key is wrong. I do:

$ openssl rand -hex 20

And I write this key (an exmple):

182513a847928f253b363983d4d8b269b1ddecb1

Thank for your help

One quick note you have turned off then 2FA on your accounts linked to the only keys? or kept at least one of your keys with the old data until you get the new one working and added to your accounts.

The first of your two solutions is how I managed to set it on the onlykey-cli command line app.
This:

I believe the command -ohmac-lt64 for the ykpersonalize command line app sets its to fixed 64 byte input (which I believe the OnlyKey doesn’t support, please correct me if I am wrong, and I can’t find the command for variable input on yubico), I used the yubikey personalization tool app, the non command line version (as I found alot easier, as it was difficult to get all the information needed to use the command line app)

On the yubikey personalization tool app, click on the tab challenge responce, then select the slot, then select require user input and then select variable input, then click on the generate button and then click write configuration. Copy the code down and then write it to the onlykey with out the spaces.

If you do test it with the onlykey app (setting the challenge responce) with the tab advanced, add private key, hmachas1, slot and then the key let me know as I didn’t realise the app allowed to set it this way

I have several YubiKey including one to do my tests with the OnlyKey. I also use a dbkx only for testing.

I follow exactly this documentation:
https://docs.crp.to/usersguide.html#challenge-response

No way! I don’t have the return: Successfully set ECC Key

It’s possible to have a higher level of verbosity or a debug mode?

With OnlyKey App, to delete the error: ECC Key must be 64 characters., I have pad with zero.

I also tried to configure KeePassXC with the internal configuration of the OnlyKey. I have an error Wrong Size

Maybe my key is defect?? Or the program bug?

My security is based on YubiKey, I would like to find a solution to use my OnlyKey.

Thanks for your help

1 Like

were you able to find a solution in the meantime?
i also got stuck on the same problem :frowning:

@bugrasan I was able to get the Challenge-Response working with my KeePassXC database, can you expand on the issue you’re having?

@bugrasan no sorry haven’t found a solution but I would like to find a solution!

@Zach I too can use the Challenge-Response and use KeePassXC.

Personally, I would like to have my YubiKey as a backup to my OnlyKey on the Challenge-Response. It is necessary to be able to share the same secret but I can’t define the same secret to the OnlyKey unlike the YubiKey which accepts it.

@bugrasan if you have any ideas or new information, I will gladly look for the problem with you.

Thanks

@knlr0m1 I have my OnlyKey and YubiKeys sharing the same HMAC-SHA1 secret. I originally tried to set the HMAC slot with the onlykey-cli as you indicated but it wasn’t working for me, but when I tried it through the app I was able to get it working by following the documentation. This is using the OnlyKey Duo.

@Zach Thank you for your information. I tried both solutions and had two failures. I see that there is the 5.3.4 while I tested with the 5.3.3. A correction?
When you were using the application, did you get a feedback message?
Thanks again for your help.

@knlr0m1 I just tried again and it said ECC slot successfully set, which doesn’t make sense and might be a bug since I definitely set the HMAC slot. I noticed the messages were also buggy when I was experimenting with setting the RSA slots. In any event, I was again able to access my KeepassXC database using both HMAC slots. I’m using the latest firmware version. I may buy an original OnlyKey to experiment with as well.

I updated the application and clicked to test again. I managed to configure my OnlyKey and unlock my KeePassXC.
I don’t know if I had a bug and if it was fixed. But it is important to do the operations and put the padding of 0.

Thanks @Zach for the information

1 Like

@knlr0m1 i have seen in the code that the HMAC type doesn’t match when checking the 20 bytes hex, and created a pull request:

hope this will fix it.

@bugrasan great thanks for this discovery and PR. I would have to figure it out for cli but I don’t know if I have enough python skills to.

@knlr0m1 i think i also found the issue on python-onlykey and just committed a pull request:

hope this or a cleaner versions gets accepted.