Yubico Forum ...visit our web-store at 2015-07-21T19:17:17+01:00 https://forum.yubico.com/feed.php?f=16&t=1968 2015-07-21T19:17:17+01:00 2015-07-21T19:17:17+01:00 https://forum.yubico.com/viewtopic.php?t=1968&p=7625#p7625 <![CDATA[Re: yubipam + authlite with same yubikey profile possible?]]>
Your assumption about the AES key is wrong. We encrypt that value for export, mostly for historical reasons.

Anyway, you super should not do the thing you are trying to do. Sharing a single yubikey across more than one authority makes you vulnerable to cross authority replay attacks. If you want to use AD as the central store for your users, AuthLite can do everything and you don't need any of the Yubico software.

If you need to have separate authorities, then you should use separate yubikeys.

Statistics: Posted by ferrix — Tue Jul 21, 2015 7:17 pm

]]> 2015-07-20T15:44:53+01:00 2015-07-20T15:44:53+01:00 https://forum.yubico.com/viewtopic.php?t=1968&p=7612#p7612 <![CDATA[yubipam + authlite with same yubikey profile possible?]]> I want to use a yubikey to authenticate on Linux against an radius server. This already works.
We also want to authenticate our Windows machines against AD using AuthLite. Unfortunately I was not able to do so using the same profile on the yubikey.
I am configuring my yubikey this way on Linux and insert it into the yubipam configuration:
Code:
# yubikey configuration
uid=$(openssl rand -hex 6)
fixed=$(openssl rand -hex 16 | tr “0-9a-f” “cbdefghijklnrtuv”)
access=$(openssl rand -hex 6 )
ykpersonalize -1 -z
ykpersonalize -1 -oaccess=$access -ofixed=$fixed -ouid=$uid -oappend-cr -o-strong-pw1 -o-strong-pw2 -o-man-update

# yubipam configuration
ykpasswd -a -u $username -k $AES-FROM-ykpersonalize -o $OTP-from-token

# check token
ykvalidate -u $username $OTP-from-token



This works without a problem.
I got some xml files from the workmate that is responsible for the AuthLite/AD integration.
My idea was to extract the data from the xml file and configure it into yubipam.
The xml file looks like this:
Code:
<?xml version="1.0" encoding="utf-8"?>
<AuthLiteData xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schema.collectivesoftware.com/products/authlite/databucket/1.0">
  <Keys>
    <AuthLiteKey>
      <PublicId>65d2a1ce80d50ad8a67b0d705c0acd40</PublicId>
      <PublicIdReadable>2b6858c208d04cb0e7a9f1cea451c120</PublicIdReadable>
      <AesKey>276649e34a78c802975636c0faf9c76f</AesKey>
      <OtpCounter>0</OtpCounter>
      <Timestamp>0</Timestamp>
      <SecretId>89768ac03843</SecretId>
      <SerialNumber>3971014</SerialNumber>
      <OathInterval xsi:nil="true" />
      <OathDrift xsi:nil="true" />
      <CounterUpdateTimestamp>0001-01-01T00:00:00</CounterUpdateTimestamp>
    </AuthLiteKey>
  </Keys>
</AuthLiteData>


I simply assumes AES-key = AES-key and tried to reuse the aes key in yubipam:
Code:
ykpasswd -a -u $username -k $AES-FROM-XMLFILE -o $OTP-from-token

Unfortunately this does not work:
Code:
Adding Yubikey entry for $username
Invalid OTP specified!

The OTP has the same length. The PublicIdReadable from the xml file is the hex representation of the modhex from the key.
This can be checked this way:
Code:
echo $PublicIdReadable-from-xml | tr “0-9a-f” “cbdefghijklnrtuv”


Using the same profile in two authentication systems should work. At least I had no problems authentication against freeradius/yubipam at work and yubipam at home with the same yubikey and same profile.

Please help me.
Best regards.

Statistics: Posted by adrian — Mon Jul 20, 2015 3:44 pm

]]>