Yubico Forum

Re: [QUESTION] How do I enable YubiOATH in my application

2014-11-14T15:46:00+01:00

Update: I've now pushed this out, and it's documented at http://www.infradead.org/openconnect/token.html

Code at http://git.infradead.org/users/dwmw2/op ... /yubikey.c

Any review comments would be welcome. It would be useful to have a consistent interface for using Yubikey from various applications.

Code:

$ ./openconnect --token-mode yubikey  --token-secret 'rôle ♥ foo' $SERVER

Found ykneo-oath applet v0.2.1.
PIN required for Yubikey OATH applet
Yubikey PIN:
Failure response to "unlock command": 6a80
PIN required for Yubikey OATH applet
Yubikey PIN:
Found TOTP/SHA1 key 'rôle ♥ foo' on 'Yubico Yubikey NEO CCID 00 00'
POST https:/$SERVER/
...
Please enter your username and password.
Username:foo
Password:
Generating Yubikey token code
POST https://$SERVER/+webvpn+/index.html

Statistics: Posted by dwmw2 — Fri Nov 14, 2014 3:46 pm

Re: [QUESTION] How do I enable YubiOATH in my application

2014-11-12T14:45:51+01:00

Thanks. As with the python yubico-authenticator, that's kind of useful because it shows the commands to use. However, there are a bunch of things missing from it — like locking with SCardBeginTransaction() when we need to talk to the card, and reselecting the ykneo-oath applet because OpenSC might have been talking to the PIV applet when we come back for a new tokencode. Currently, yubico-authenticator breaks when that happens.

It would be *so* useful if there was a simple library I could use to handle this for me, using something reminiscent of PKCS#11 URIs. So I just have a function which can give me a tokencode for file://home/dwmw2/foo.pskc (updating the counter in the file as appropriate if it's a HOTP token, with file locking done consistently too). Or for yubikey://cardident/objectname for yubikey, for example, without individual applications having to have hardware-specific details.

And while I think of it, wouldn't it be useful if RFC6030 defined a way for a PSKC file to refer to a token's secret key by means of a PKCS#11 URI?
And my hypothetical library (which is actually what oath-toolkit *ought* to provide instead of just the disjoint libpskc and liboath libraries) would Just Work™ with tokens in that form too.

Anyway, I now have OpenConnect authenticating automatically to VPN servers using HOTP/TOTP tokens from a Yubikey NEO (as well as SSL private keys stored therein). There's a little more cleanup to be done, but I've pushed it to http://git.infradead.org/users/dwmw2/op ... ff/c24046b

It's the first time I've ever looked at PC/SC code so I don't claim there's anything particularly competent about it, but if you want to use any of it as the basis for a C library that at *least* supports Yubikey (rather than embarking on the grand plan outlined above), you're welcome to it under LGPLv2 or later.

Statistics: Posted by dwmw2 — Wed Nov 12, 2014 2:45 pm

Re: [QUESTION] How do I enable YubiOATH in my application

2014-11-10T09:56:28+01:00

try the test client here:
https://github.com/Yubico/ykneo-oath

Statistics: Posted by Tom — Mon Nov 10, 2014 9:56 am

[QUESTION] How do I enable YubiOATH in my application

2014-11-06T23:19:23+01:00

I have a VPN client application which currently supports HOTP and TOTP via oath-toolkit, automatically generating response codes where the VPN server requests them: http://www.infradead.org/openconnect/token.html

I would like to support OATH using Yubikeys too. Do I need to use libykneomgr and construct the traffic myself, having worked out what to send from commands.py and functions.py in yubico_authenticator? Or is there a better way?

Statistics: Posted by dwmw2 — Thu Nov 06, 2014 11:19 pm