Welcome to Yubico tech community.

...visit our web-store at store.yubico.com
It is currently Fri Jul 25, 2014 7:15 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Wed Jun 25, 2008 11:19 am 
Offline

Joined: Wed Jun 04, 2008 11:18 pm
Posts: 4
Location: Frederiksberg, Denmark
Hi
I've created a little plugin for the Wordpress blog system.

http://henrik.schack.dk/yubikey-plugin/

The plugin uses the Yubico server for authentication, but I guess a future version will include support for
a buildin authenticationserver.


Top
 Profile  
 

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jun 25, 2008 1:03 pm 
Offline

Joined: Wed Jun 25, 2008 12:29 pm
Posts: 5
Awesome stuff!

Thanks Henrik!

:D :D :D


Top
 Profile  
 
PostPosted: Wed Jun 25, 2008 1:10 pm 
Offline

Joined: Wed Jun 25, 2008 12:29 pm
Posts: 5
Hi henrik,

The url to the plugin on your blog is not working, please could you provide me with the correct url?

Thanks in advance,
Wouter


Top
 Profile  
 
PostPosted: Wed Jun 25, 2008 1:19 pm 
Offline

Joined: Wed Jun 04, 2008 11:18 pm
Posts: 4
Location: Frederiksberg, Denmark
WouterduToit wrote:
Hi henrik,

The url to the plugin on your blog is not working, please could you provide me with the correct url?

Thanks in advance,
Wouter


Ooops, sorry a typo, I've fixed it now


Top
 Profile  
 
PostPosted: Wed Jun 25, 2008 5:06 pm 
Offline

Joined: Wed Jun 25, 2008 12:29 pm
Posts: 5
Thank you!

Works like a charm! Great bit of sample code too!


Top
 Profile  
 
PostPosted: Wed Jun 25, 2008 5:58 pm 
Offline

Joined: Tue Jun 24, 2008 10:42 am
Posts: 1
I second that - awesome work!

I've just setup the plugin on a wordpress 2.5.1 under debian testing.

Initially i got this error when signing in with the plugin active

Quote:
Call to undefined function: curl_init()


when signing in as php support for curl was not installed on my box

Quote:
apt-get install php5-curl
/etc/init.d/apache2 restart


cured that. many thanks,

Dave.


Top
 Profile  
 
PostPosted: Mon Jun 30, 2008 3:56 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 149
Very neat! The code looks really clean and high quality too. Thanks, Henrik!

Since my own personal blog (blog.josefsson.org) uses wordpress, I'd like to use it... but when I enable it, I just get
Code:
ERROR: Incorrect password.
. The password is correct. Any ideas? Where are things logged anyway?

Using a packet sniffer, I can see that the request to/from api.yubico.com works fine, and comes back with an OK, so I believe the client key id/key is correct. I've tried setting the yubikey id both pasting in an entire OTP and cut'n'paste'ing in the first 12 characters only, but no difference.

Any ideas?

Is it possible to disable password authentication, and just use yubikey authentication?

/Simon


Top
 Profile  
 
PostPosted: Mon Jun 30, 2008 4:15 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 149
I solved the problem: My server still uses php4, so it doesn't have the 'hash' requirement. I modified the following line:

Code:
   $hmac = base64_encode(hash_hmac('sha1',$datastring,base64_decode($yubico_api_key), TRUE));


into:

Code:
   $hmac = base64_encode(mhash(MHASH_SHA1,$datastring,base64_decode($yubico_api_key)));


So that it uses mhash instead of the newer hash interface. Then it worked fine. Great! Now 'blog.josefsson.org' is a user of the yubikey/wordpress-plugin!

I would suggest that the code checks for hash+curl libraries earlier, is it possible to do this using a 'require' or similar?

I'm still curious whether it is possible to disable password authentication.

/Simon


Top
 Profile  
 
PostPosted: Mon Jun 30, 2008 7:44 pm 
Offline

Joined: Wed Jun 04, 2008 11:18 pm
Posts: 4
Location: Frederiksberg, Denmark
Simon wrote:
I solved the problem: My server still uses php4, so it doesn't have the 'hash' requirement. I modified the following line:

Code:
   $hmac = base64_encode(hash_hmac('sha1',$datastring,base64_decode($yubico_api_key), TRUE));


into:

Code:
   $hmac = base64_encode(mhash(MHASH_SHA1,$datastring,base64_decode($yubico_api_key)));


So that it uses mhash instead of the newer hash interface. Then it worked fine. Great! Now 'blog.josefsson.org' is a user of the yubikey/wordpress-plugin!

I would suggest that the code checks for hash+curl libraries earlier, is it possible to do this using a 'require' or similar?

I'm still curious whether it is possible to disable password authentication.

/Simon


Happy You figured out the hash problem, I must admit I didn't think about testing against PHP4 as it is very very close to end of life.

I have been looking into ways of testing for Curl & Hash lib presence, but there isn't any really nice way to do it in Wordpress, you can't prevent the plugin from being installed or anything like that.
How about a solution where the plugin gets installed but the loginpage tells that the functionality has been disabled due to missing libs ?

I'm not sure there is a hook that makes it possible to disable password auth. But I'll look into it :-)

/Henrik Schack


Top
 Profile  
 
PostPosted: Mon Jun 30, 2008 9:13 pm 
Offline

Joined: Tue Jun 03, 2008 10:05 pm
Posts: 4
Location: Sweden
Looks very interesting. I will certainly try to look a bit into this code and try to use it in a future WordPress-installations.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group