Yubico Forum
https://forum.yubico.com/

Yubikey plugin for Wordpress
https://forum.yubico.com/viewtopic.php?f=5&t=116
Page 1 of 2

Author:  Henrik.Schack [ Wed Jun 25, 2008 11:19 am ]
Post subject:  Yubikey plugin for Wordpress

Hi
I've created a little plugin for the Wordpress blog system.

http://henrik.schack.dk/yubikey-plugin/

The plugin uses the Yubico server for authentication, but I guess a future version will include support for
a buildin authenticationserver.

Author:  WouterduToit [ Wed Jun 25, 2008 1:03 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

Awesome stuff!

Thanks Henrik!

:D :D :D

Author:  WouterduToit [ Wed Jun 25, 2008 1:10 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

Hi henrik,

The url to the plugin on your blog is not working, please could you provide me with the correct url?

Thanks in advance,
Wouter

Author:  Henrik.Schack [ Wed Jun 25, 2008 1:19 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

WouterduToit wrote:
Hi henrik,

The url to the plugin on your blog is not working, please could you provide me with the correct url?

Thanks in advance,
Wouter


Ooops, sorry a typo, I've fixed it now

Author:  WouterduToit [ Wed Jun 25, 2008 5:06 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

Thank you!

Works like a charm! Great bit of sample code too!

Author:  wavey [ Wed Jun 25, 2008 5:58 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

I second that - awesome work!

I've just setup the plugin on a wordpress 2.5.1 under debian testing.

Initially i got this error when signing in with the plugin active

Quote:
Call to undefined function: curl_init()


when signing in as php support for curl was not installed on my box

Quote:
apt-get install php5-curl
/etc/init.d/apache2 restart


cured that. many thanks,

Dave.

Author:  Simon [ Mon Jun 30, 2008 3:56 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

Very neat! The code looks really clean and high quality too. Thanks, Henrik!

Since my own personal blog (blog.josefsson.org) uses wordpress, I'd like to use it... but when I enable it, I just get
Code:
ERROR: Incorrect password.
. The password is correct. Any ideas? Where are things logged anyway?

Using a packet sniffer, I can see that the request to/from api.yubico.com works fine, and comes back with an OK, so I believe the client key id/key is correct. I've tried setting the yubikey id both pasting in an entire OTP and cut'n'paste'ing in the first 12 characters only, but no difference.

Any ideas?

Is it possible to disable password authentication, and just use yubikey authentication?

/Simon

Author:  Simon [ Mon Jun 30, 2008 4:15 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

I solved the problem: My server still uses php4, so it doesn't have the 'hash' requirement. I modified the following line:

Code:
   $hmac = base64_encode(hash_hmac('sha1',$datastring,base64_decode($yubico_api_key), TRUE));


into:

Code:
   $hmac = base64_encode(mhash(MHASH_SHA1,$datastring,base64_decode($yubico_api_key)));


So that it uses mhash instead of the newer hash interface. Then it worked fine. Great! Now 'blog.josefsson.org' is a user of the yubikey/wordpress-plugin!

I would suggest that the code checks for hash+curl libraries earlier, is it possible to do this using a 'require' or similar?

I'm still curious whether it is possible to disable password authentication.

/Simon

Author:  Henrik.Schack [ Mon Jun 30, 2008 7:44 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

Simon wrote:
I solved the problem: My server still uses php4, so it doesn't have the 'hash' requirement. I modified the following line:

Code:
   $hmac = base64_encode(hash_hmac('sha1',$datastring,base64_decode($yubico_api_key), TRUE));


into:

Code:
   $hmac = base64_encode(mhash(MHASH_SHA1,$datastring,base64_decode($yubico_api_key)));


So that it uses mhash instead of the newer hash interface. Then it worked fine. Great! Now 'blog.josefsson.org' is a user of the yubikey/wordpress-plugin!

I would suggest that the code checks for hash+curl libraries earlier, is it possible to do this using a 'require' or similar?

I'm still curious whether it is possible to disable password authentication.

/Simon


Happy You figured out the hash problem, I must admit I didn't think about testing against PHP4 as it is very very close to end of life.

I have been looking into ways of testing for Curl & Hash lib presence, but there isn't any really nice way to do it in Wordpress, you can't prevent the plugin from being installed or anything like that.
How about a solution where the plugin gets installed but the loginpage tells that the functionality has been disabled due to missing libs ?

I'm not sure there is a hook that makes it possible to disable password auth. But I'll look into it :-)

/Henrik Schack

Author:  VoxPelli [ Mon Jun 30, 2008 9:13 pm ]
Post subject:  Re: Yubikey plugin for Wordpress

Looks very interesting. I will certainly try to look a bit into this code and try to use it in a future WordPress-installations.

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/