Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:08 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Sun Dec 14, 2008 9:53 pm 
Offline

Joined: Wed Jul 02, 2008 5:16 pm
Posts: 5
Hi,

I have successfully been able to program my key using the linux key personalizer and verified it with the ./ykdebug utility. I am now trying to configure the server and think I am doing all the right things but it doesnt want to cooperate.

I am hoping someone can help by showing me what I am doing wrong. Here is the programming of the key and the config file. Please show me what it should be based on the programmin og the key portion:
Code:
root@eee:~/yubikey-personalization-read-only# ./ykpersonalize -ouid=abc123
Passphrase to create AES key: secretstuff
Firmware version 1.3.0 Touch level 9328 Program sequence 21
fixed:
uid:hbhdheebedee
key:hljcnnigitbvbfliftdrdukrgkehiikh
acc_code:cccccccccccc
ticket_flags:APPEND_CR
config_flags:
root@eee:~/yubikey-personalization-read-only# rmmod usbhid && modprobe usbhid
root@eee:~/yubikey-personalization-read-only# cd ../yubico-c-read-only/
root@eee:~/yubico-c-read-only# ls
aclocal.m4      configure.ac   Makefile     README            ykdebug.o
AUTHORS         COPYING        Makefile.am  selftest          yubikey.c
autom4te.cache  depcomp        Makefile.in  selftest.c        yubikey.h
config.guess    INSTALL        missing      selftest.o        yubikey.lo
config.log      install-sh     modhex       simple.mk         yubikey.o
config.status   libtool        modhex.c     test-vectors.txt
config.sub      libyubikey.la  modhex.o     ykdebug
configure       ltmain.sh      NEWS         ykdebug.c
root@eee:~/yubico-c-read-only# ./ykdebug hljcnnigitbvbfliftdrdukrgkehiikh kkrhgicjgvdlklcgecthkuneevniuild
Input:
  token: kkrhgicjgvdlklcgecthkuneevniuild
          99 c6 57 08 5f 2a 9a 05 30 d6 9e b3 3f b7 e7 a2
  aeskey: hljcnnigitbvbfliftdrdukrgkehiikh
          6a 80 bb 75 7d 1f 14 a7 4d 2c 2e 9c 59 36 77 96
Output:
          61 62 63 31 32 33 01 00 5e 70 d5 00 79 f1 e2 93

Struct:
  uid: 61 62 63 31 32 33
  counter: 1 (0x0001)
  timestamp (low): 28766 (0x705e)
  timestamp (high): 213 (0xd5)
  session use: 0 (0x00)
  random: 61817 (0xf179)
  crc: 37858 (0x93e2)

Derived:
  cleaned counter: 1 (0x0001)
  modhex uid: hbhdheebedee
  triggered by caps lock: no
  crc: F0B8
  crc check: ok
root@eee:~/yubico-c-read-only#


What should the contents of this yubiphpbase config.php file be given the above:

Code:
/******* Erase this section after installation *******/
*

// OTP from your admin key you are to use to log in to KMS
// Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
$otp = '...enter yours...';

// Admin PIN as the 2nd factor of auth
//Eg. $pin = '12345678';
$pin = '...enter yours...';

// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = '.....enter yours.....';

*
********** End of section to erase after installation *******/

// Make up a random secret to encrypt data in DB in b64 format
// Eg. $aesParams['__ENC_KEY_SECRET__'] = 'gklftrkvbvcbfhdafbedtjerrbbcgkuk';
$aesParams['__ENC_KEY_SECRET__'] = '.....enter yours.....';

//// DB, email and web related
//
$baseParams = array ();
$baseParams['__DB_HOST__'] = 'localhost';
$baseParams['__DB_USER__'] = '...enter yours...';
$baseParams['__DB_PW__'] = '...enter yours...';
$baseParams['__DB_NAME__'] = '...enter yours...';

// Eg. $baseParams['__ROOT_EMAIL__'] = 'support@yubico.com';
$baseParams['__ROOT_EMAIL__'] = '...enter yours...';


$baseParams['__ORDER_URL__'] = 'http://yubico.com/products/order/';
$baseParams['__DOMAIN__'] = 'localhost';

// Eg. $baseParams['__DOC_ROOT__'] = '/apache/htdocs/'
$baseParams['__DOC_ROOT__'] = '...enter yours...';

//// Validation server
//

$valParams = array ();
$valParams['__VAL_URL__'] = 'http://localhost/wsapi/verify.php?id=';

//// HTML related
//
$headParams = array ();
$headParams['__SHORTCUT_ICON_URL__'] = 'http://localhost/kms/images/favicon.ico';

//// KMS admin activation welcome letter
//
$letterParams = array ();
$letterParams['__KMS_URL__'] = 'http://localhost/kms';



thanks


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Dec 16, 2008 4:13 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We are assuming following parameters for hosting a Yubico Validation Server:

    1) Pin for two factor authentication : 12345
    2) AES secret Key: yubicovalidationserver (Base64 encoded output: eXViaWNvdmFsaWRhdGlvbnNlcnZlcg== )
    3) Random Secret: YubicoYubikey (Base64 encoded output: WXViaWNvWXViaWtleQ==)
    4) MySQL Database Server hostname: sql.test.com
    5) MySQL User name : yubico
    6) MySQL User password: test123
    7) MySQL Database name: yubikey
    8) Root Email Address: admin@test.com
    9) Apache http document root: /var/www/html

The content of yubiphpbase config.php based on above parameters would be:

Code:
<?php
/******************************************************
 *
 *      Customize EVERY parameter for your environment
 *
 ******************************************************/

//// AES secrets
//
$aesParams = array ();

/******* Erase this section after installation *******/
*

// OTP from your admin key you are to use to log in to KMS
// Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
$otp = 'vrkvfefuitvfiuibirllecjgbbnfhhirchithtvfrrbd';

// Admin PIN as the 2nd factor of auth
//Eg. $pin = '12345678';
$pin = '12345';

// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';

*
********** End of section to erase after installation *******/

// Make up a random secret to encrypt data in DB in b64 format
// Eg. $aesParams['__ENC_KEY_SECRET__'] = 'gklftrkvbvcbfhdafbedtjerrbbcgkuk';
$aesParams['__ENC_KEY_SECRET__'] = 'WXViaWNvWXViaWtleQ==';

//// DB, email and web related
//
$baseParams = array ();
$baseParams['__DB_HOST__'] = 'sql.test.com';   
$baseParams['__DB_USER__'] = 'yubico';
$baseParams['__DB_PW__'] = 'test123';
$baseParams['__DB_NAME__'] = 'yubikey';

// Eg. $baseParams['__ROOT_EMAIL__'] = 'support@yubico.com'; 
$baseParams['__ROOT_EMAIL__'] = 'admin@test.com';

$baseParams['__ORDER_URL__'] = 'http://yubico.com/products/order/';
$baseParams['__DOMAIN__'] = 'localhost';

// Eg. $baseParams['__DOC_ROOT__'] = '/apache/htdocs/'
$baseParams['__DOC_ROOT__'] = '/var/www/html';

//// Validation server
//

$valParams = array ();
$valParams['__VAL_URL__'] = 'http://localhost/wsapi/verify.php?id=';

//// HTML related
//
$headParams = array ();
$headParams['__SHORTCUT_ICON_URL__'] = 'http://localhost/kms/images/favicon.ico';

//// KMS admin activation welcome letter
//
$letterParams = array ();
$letterParams['__KMS_URL__'] = 'http://localhost/kms';

?>




As the AES key generated using the "ykpersonalize" tool is modhex encoded, we need to first decode (modhex decode) the AES key, then convert the decoded key to base64 encoded format and store it into the config.php file.

We are currently upgrading Yubico personalization tool and Yubico Management Server. The new versions would be released soon which would address all the above mentioned issues.


Top
 Profile  
Reply with quote  
PostPosted: Sun Dec 21, 2008 6:54 am 
Offline

Joined: Wed Jul 02, 2008 5:16 pm
Posts: 5
I assume $opt=""; is a key press of my earlier programmed key?

Assuming this I installed using these configs and get this in the kms.log file:

2008-12-20 22:10:00: OTP failed: Key authentication failed: Could not parse response, otp=ndnurjtddcgdfbcrhubneefdgikhrtuc12345 by 192.168.100.13

I even tried without the PIN concatinated and get the same:

2008-12-20 23:52:47: OTP failed: Key authentication failed: Could not parse response, otp=rguvvirtcdchgrkkkghbdvihgflivcgh by 192.168.100.13

ideas?


Top
 Profile  
Reply with quote  
PostPosted: Sun Dec 21, 2008 7:03 pm 
Offline

Joined: Wed Jul 02, 2008 5:16 pm
Posts: 5
I tried

http://192.168.100.10/wsapi/verify_debu ... nfblfbhveu

and get:

Code:
<p>Debug> Invalid Yubikey gjndfgngdkkl
status=BAD_OTP
info=gjndfgngdkklvcjgebindtfivnenigdt
t=2008-12-21T18:00:36
<p>Debug> SIGN: info=gjndfgngdkklvcjgebindtfivnenigdt&status=BAD_OTP&t=2008-12-21T18:00:36
h=Ju1U9ETdOBgtxKqsO6x9B5EEyR0=


I also noticed that it does not appear to prepend the key identity to the otp (as seen by the following sequential keys):

Code:
jhblvdnekterkuddhrcniidnrkgvugbt
uebnhhnjlcrdgvdbghfjbkgnlbcjirti
nkktenriengnegdevcvrcfulindhtetv
undcvehjcngrkvegigerdljbngnkhhnb
tluitcffjrhbngidlnfbenthvgtgitbe


Did I program the key incorrectly I thought the 1st 12 characters were static??


Top
 Profile  
Reply with quote  
PostPosted: Mon Dec 22, 2008 1:49 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
dion.rowney wrote:
I assume $opt=""; is a key press of my earlier programmed key?


In the yubiphpbase config.php file, we have to store a OTP generated from reprogrammed YubiKey.

The stored OTP in the config.php file must be 44 characters long (First 12 characters of Static ID + 32 characters of OTP)

The first 12 charectors of OTP representing static ID will be first decoded from modHAX and the decoded static ID will be encoded in base64 format and stored in Database.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 23, 2008 6:22 am 
Offline

Joined: Wed Jul 02, 2008 5:16 pm
Posts: 5
adding the -ofixed seemed add the extra 12 chars at the front to make it 44, but still not luck


So it definately looks like they key programming if root cause. Is the following what would be correct for the above example to work? and set otp=to an output? or is the passphase aes key the other secret?

Code:
root@eee:~/yubikey-personalization-read-only# ./ykpersonalize -ouid=abc123 -ofixed=abc123
Passphrase to create AES key: yubicovalidationserver
Firmware version 1.3.0 Touch level 9376 Program sequence 24
fixed:hbhdheebedee
uid:hbhdheebedee
key:nfrrcjjhjnglvdtfktgctjcjfjulduig
acc_code:cccccccccccc
ticket_flags:APPEND_CR
config_flags:
root@eee:~/yubikey-personalization-read-only#


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 23, 2008 8:25 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We would appreciate if you can share following information with us.

    1) yubiphpbase config.php file
    2) Five OTPs generated from your YubiKey

This would help us to figure out a problem you are facing.


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 23, 2008 2:56 pm 
Offline

Joined: Wed Jul 02, 2008 5:16 pm
Posts: 5
Code:
//// AES secrets
//
$aesParams = array ();

/******* Erase this section after installation *******/


// OTP from your admin key you are to use to log in to KMS
// Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
$otp = 'hbhdheebedeehdifkebgfhhbflrjccegdrctffnblrub';

// Admin PIN as the 2nd factor of auth
//Eg. $pin = '12345678';
$pin = '12345';

// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';


/********** End of section to erase after installation *******/

// Make up a random secret to encrypt data in DB in b64 format
// Eg. $aesParams['__ENC_KEY_SECRET__'] = 'cretsec';
$aesParams['__ENC_KEY_SECRET__'] = 'WXViaWNvWXViaWtleQ==';

//// DB, email and web related
//
$baseParams = array ();
$baseParams['__DB_HOST__'] = 'localhost';
$baseParams['__DB_USER__'] = 'yubico';
$baseParams['__DB_PW__'] = 'yub1c0';
$baseParams['__DB_NAME__'] = 'yubico';

// Eg. $baseParams['__ROOT_EMAIL__'] = 'support@yubico.com';
$baseParams['__ROOT_EMAIL__'] = 'dion.rowney@gmail.com';

$baseParams['__ORDER_URL__'] = 'http://yubico.com/products/order/';
$baseParams['__DOMAIN__'] = 'localhost';

// Eg. $baseParams['__DOC_ROOT__'] = '/apache/htdocs/'
$baseParams['__DOC_ROOT__'] = '/var/www';


//// Validation server
//

$valParams = array ();
$valParams['__VAL_URL__'] = 'http://localhost/wsapi/verify.php?id=';

//// HTML related
//
$headParams = array ();
$headParams['__SHORTCUT_ICON_URL__'] = 'http://localhost/kms/images/favicon.ico';

//// KMS admin activation welcome letter
//
$letterParams = array ();
$letterParams['__KMS_URL__'] = 'http://localhost/kms';



and some otps

Code:
hbhdheebedeebtelvcegicernitfrggtblntntirvhgg
hbhdheebedeeujdjujrrujbjtgkiekkddujeelvjjgcc
hbhdheebedeejerdfrreuifjblkljjnnnhuvididrctu
hbhdheebedeedulhncujiibgjjnlbflvibhidthulcle
hbhdheebedeehlgtdifhcrbbhrercrcuirnclllutuef



Top
 Profile  
Reply with quote  
PostPosted: Wed Dec 24, 2008 6:57 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Thanks for providing this valuable information. We are looking into this and will update you asap.


Top
 Profile  
Reply with quote  
PostPosted: Mon Dec 29, 2008 4:19 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
In order to successfully decrypt the OTP, AES key provided in the "config.php" file must be the one with which we have reprogrammed the YubiKey.

dion.rowney wrote:
// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';


Please replace "$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';" with $aesParams['__ADM_KEY_SECRET__'] = 'tMwIhota8tSdUNgISOoudQ==';

This should solve the issue and Yubico Validation server should verify your OTP correctly.
We have successfully tested it in our test environment.

Please let us know if your are facing any further configuration problems.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group