Yubico Forum

Web Service Client Software • [Community] - Forum going read only. New KDB on its way.

2018-01-30T09:26:55+01:00

For the security and experience of our user community, we have decided to set the forum as read-only and wipe all user account information. All historical posts and announcements will be archived and remain publicly searchable.

In 2018, we will be publishing a searchable knowledge-base system that allows the community to provide direct feedback on articles and make suggestions that will be reviewed by Yubico staff. We sincerely appreciate the participation of our user forum over the years and hope to continue serving your for years to come.

Statistics: Posted by Tom2 — Tue Jan 30, 2018 9:26 am

Web Service Client Software • C# Windows application

2017-12-15T08:59:42+01:00

Hello experts,

There is a scenario where user will have to give their windows username/password and yubikey for accessing windows application. Is there any sample application where administrator can configure windows user with yubikey.

Thanks,
Prasana

Statistics: Posted by prasannaor — Fri Dec 15, 2017 8:59 am

Web Service Client Software • Re: PAM issue with YubiCloud on CentOS 7

2017-10-31T14:01:13+01:00

No response?

Statistics: Posted by fedorz — Tue Oct 31, 2017 2:01 pm

Web Service Client Software • Re: PAM issue with YubiCloud on CentOS 7

2017-10-14T13:33:40+01:00

Yes, that is correct, that is where I got the id and key I am using.

Statistics: Posted by fedorz — Sat Oct 14, 2017 1:33 pm

Web Service Client Software • Re: PAM issue with YubiCloud on CentOS 7

2017-10-14T07:35:04+01:00

Hello fedorz,

Just to confirm you visited (https://upgrade.yubico.com/getapikey/) to receive a id and api key to replace in the following line?
auth required pam_yubico.so id="Replace with ID" key="replace with API Key" authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug

Best Regards,
Matthew
Yubico Support

Statistics: Posted by mattlegitt — Sat Oct 14, 2017 7:35 am

Web Service Client Software • PAM issue with YubiCloud on CentOS 7

2017-10-11T17:14:29+01:00

Hi,

I am testing the OTP SSH PAM authentication against the public YubiCloud on CentOS 7 by running a VirtualBox CentOS 7 image.
Once the tests are successful, the plan is to roll this out to our actual servers.

The issue I face that the PAM module fails authenticating, the debug log shows:

Code:

Oct 11 11:42:34 centos_test sshd[1324]: Server listening on 0.0.0.0 port 22.
Oct 11 11:42:34 centos_test systemd: Started OpenSSH server daemon.
Oct 11 11:42:34 centos_test polkitd[619]: Unregistered Authentication Agent for unix-process:1307:25035 (system bus name :1.21, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Oct 11 11:42:47 centos_test sshd[1326]: error: PAM: [color=#0000FF]Authentication service cannot retrieve authentication info for my_user from 127.0.0.1[/color]
Oct 11 11:42:48 centos_test sshd[1326]: Connection closed by 127.0.0.1 port 42490 [preauth]

I don't understand why is it trying 127.0.0.1?

My settings are the following:

/etc/pam.d/sshd:

Code:

  auth required pam_yubico.so id=myid key=mykey authfile=/etc/yubikey_mapping urllist=https://api.yubico.com/wsapi/2.0/verify debug

/etc/ssh/sshd_config:

Code:

  PasswordAuthentication no
  ChallengeResponseAuthentication yes

I can manually access the YubiCloud:

Code:

wget -q -O - 'https://api.yubico.com/wsapi/2.0/verify?id=myid&nonce=asdmalksdmlkasmdlkasakmsdaasklmdlak&otp=dteffujehknhfjbrjnlnldnhcujbikngjrtgh'
h=svSvQsBDOgm9FFyTXjqNXHJiU=
t=2017-10-11T16:11:37Z0347
status=BAD_OTP

Network settings:

Code:

1: lo:  mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp0s3:  mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:c6:0f:7d brd ff:ff:ff:ff:ff:ff
    inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic enp0s3
       valid_lft 85120sec preferred_lft 85120sec

What looks odd to me in the debug logs, that is seemingly trying to verify the authentication against 127.0.0.1.

Any idea what might be wrong?

Thanks

Statistics: Posted by fedorz — Wed Oct 11, 2017 5:14 pm

Web Service Client Software • Re: Not clear on the Yubico OTP API

2017-09-26T20:16:19+01:00

Ok, I have a working new program. I am verifying that the returned otp is the same as submitted, after a while of figuring out how to discern my Yubikey from any old successful "OK" result by checking the first 12 characters I have gotten it to validate me. Once the returned OTP is correct, the nonce is the same as submitted and the result is OK etc then it validates me as successful.

What can protect from someone setting up a localhost web server and just sending out a preset good looking result which has all the "right" bogus otp, nonce? Is there some simple hashing based thing I can do to check? I am not sure about the hashing. There is some basic hashing capability in AutoIt but I do not know the protocol of what gets hashed and with what algorithm. Is it a concatenation between multiple pieces of data being hashed? then in that case which goes first etc. I think that hash that is returned has got something to do with that API key I received, that is my theory. But I do not know how to make use of it.

Statistics: Posted by techwg — Tue Sep 26, 2017 8:16 pm

Web Service Client Software • Not clear on the Yubico OTP API

2017-09-26T12:38:10+01:00

I would like to add some basic Yubico OTP checking capability to an AutoIt program I would make, so that the program would only function if my yubikey is authenticated as being present. It is a scripting language that allows me to make programs without having to learn complicated programming languages.

I was experimenting with this long ago but I am clueless as to what was needed. I recall seeing some old code of mine with a hard-coded user ID of my old OTP key. I have no idea how I would get what ever my new cc built in OTP ID is or how to verify that a "successful" OTP is from my particular Yubikey and not any old Yubikey that works and was registered on the Yubico cloud.

Can someone please give me a quick readers digest of how I need to construct a get request to take input from the user, sent it to the Yubico API and get and interpret the response?

Thanks.

Statistics: Posted by techwg — Tue Sep 26, 2017 12:38 pm

Web Service Client Software • Transforming OTP on Alternate Keyboards (ex. Dvorak/Colemak)

2017-09-12T13:22:55+01:00

Hey guys,
We are using the Yubicloud OTP service to validate YubiKeys for our users. We've come to discover that the OTP service with YubiKeys only works properly with qwerty keyboards.

To help mitigate this for our non-qwerty users we are planning on the following solution:

1. Detect if the OTP token is qwerty, dvorak, or colemak.
2. If not qwerty, do a simple transform based on the key maps back to qwerty (ex. https://awsm-tools.com/text/keyboard-layout)
3. Validate with OTP APIs using the qwerty token like normal.

The problem we've come to in this solution is how to properly handle step #1. From the OTP token alone, is there a way to reliably determine what type of keyboard it was generated with?

Looking at https://developers.yubico.com/OTP/OTPs_Explained.html and my own OTPs it would seem that the public ID of the YubiKey (first 12 characters) may offer some help. For example, does this ID always start with "c"? If so we could look at that and if it started with "j", we would now know that it is a Dvorak keyboard. This solution would fail for Colemak keyboards though since "c" is mapped to "c".

Is there any advise you can give about the make-up of the OTP tokens that would make this detection possible?

Thanks!

Statistics: Posted by kspearrin — Tue Sep 12, 2017 1:22 pm

Web Service Client Software • Re: What is the risk of verbose_otp when using OpenSSH?

2017-04-14T06:27:56+01:00

Hello Matthew,

Thanks!

Since Yubico OTP is input as USB keyboard, I think that keylogging is also possible without the verbose_otp option.
Is it wrong..?

When using two factor authentication with Publickey Authentication and Yubico OTP, the change with verbose_otp option will only display used OTP on the terminal.

Best,
saso

Statistics: Posted by saso — Fri Apr 14, 2017 6:27 am

Web Service Client Software • Re: What is the risk of verbose_otp when using OpenSSH?

2017-04-13T18:03:58+01:00

Hello saso,

Setting the verbose_otp option is not recommended and can open your system to keylogging as it will also send and record the password along with the otp string.

Best Regards,
Matthew
Yubico Support

Statistics: Posted by mattlegitt — Thu Apr 13, 2017 6:03 pm

Web Service Client Software • What is the risk of verbose_otp when using OpenSSH?

2017-04-13T12:54:09+01:00

Hello,

Thanks for great products!

In README, It says that verbose_otp can not be used in OpenSSH.
However, verbose_otp option can be used with OpenSSH_5.3p1

And in README,
> You are advised to not use this, if you are using two factor authentication because that will display your password on the screen.

What is the risk of verbose_otp when using OpenSSH?
Even if the used one-time password leaks out, it seems to be no problem because validation server does not accept OTP.

Thanks.

Statistics: Posted by saso — Thu Apr 13, 2017 12:54 pm

Web Service Client Software • Re: New entirely free and open-source .NET Client Library (D

2017-02-14T17:04:48+01:00

What the heck? All I got was a spam page that kept opening more windows. Not Cool!

Statistics: Posted by mcdown75 — Tue Feb 14, 2017 5:04 pm

Web Service Client Software • Re: How to get private key stored instead of OTP for U2F Jav

2016-09-04T16:08:16+01:00

mouse008 wrote:

Quote:

I use U2F for login / sudo on my linux machines

I'd appreciate some more details please, if you don't mind.

PM or start a new thread, please; that's not really in-scope for this thread (it's rude to hijack).

Statistics: Posted by SporkWitch — Sun Sep 04, 2016 4:08 pm

Web Service Client Software • Re: How to get private key stored instead of OTP for U2F Jav

2016-09-04T07:05:54+01:00

Quote:

I use U2F for login / sudo on my linux machines

I'd appreciate some more details please, if you don't mind.

Statistics: Posted by mouse008 — Sun Sep 04, 2016 7:05 am