Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:13 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Pin + YubiKey?
PostPosted: Thu Feb 02, 2012 8:13 pm 
Offline

Joined: Thu Feb 02, 2012 7:59 pm
Posts: 2
I know with RSA, you can enter a pin and then enter your key from your RSA token. I'm wondering if this can be done with the Yubikey for my VPN.

The way I imagine this would work is to have my Yubikey not enter the Public Identity. This would force my users to type the Public Identity before pressing the button on the Yubikey.

Any other thoughts?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Pin + YubiKey?
PostPosted: Thu Feb 02, 2012 10:07 pm 
Offline

Joined: Sat Jan 14, 2012 3:05 am
Posts: 7
If your able to adjust the authentication, it should be simple to address.

I'm assuming there is one password field? If so, have the user enter their pin and then press the yubikey button. On the backend, split the string and process the last 44 characters as the yubikey and the first for the pin (most likely ends up processing to make sure the pin is correct, then the yubikey is assigned to the account and finally authenticating the OTP portion of the key (either via Yubico's authentication servers or your own depending on your setup)).

I know with the Yubikey PAM module this is how it functions (if you elect to set it up as such).


Top
 Profile  
Reply with quote  
 Post subject: Re: Pin + YubiKey?
PostPosted: Thu May 03, 2012 9:50 am 
Offline

Joined: Fri Mar 16, 2012 10:58 am
Posts: 5
Since Yubico make such a big deal of providing "two-factor authentication" (e.g. http://www.yubico.com/yubikey ), it seems strange that it's not implemented centrally.

If I understand this right: every application which wants to use two factor authentication - like this forum for example - has to (a) keep its own local database of passwords, or access some shared internal database; and (b) either prompt for the password separately, or split the entered code into password prefix + OTP suffix, and validate them both.

ISTM there would be value in providing this service centrally, i.e. be able to configure a password prefix for your token, which the cloud auth service checks on each auth, and being able to change it online. However, care would be required that the API keys are being used properly to protect the password in transit; and there would have to be some sort of password recovery process (perhaps linked to a master key, like yubirevoke)

The stripping and checking of password prefix could be requested by a flag at API call time, so that applications which want to check *only* the yubikey response can continue to do so.

Has this idea been considered and discounted?

Another option would be modifying pam_yubico to have a password prefix for each user (either in the yubikey_mappings file or in LDAP), which would at least support those applications which use PAM.

I have two particular applications in mind:

(1) RADIUS. I have freeradius up and running doing basic yubikey auth for VPN authorization. For 2-factor auth I'll have to configure it to split the User-Password into prefix + 44 char suffix (doable with regexp match), then check the prefix against a local file before using auth_pam. (Actually it's possible to require both auth_pam and auth_pap using configurable failover, but I think they both check the same User-Password attribute). This is rather fiddly though.

(2) Kerberos with Yubikey preauth:
https://www.nordu.net/~linus/INSTALL-krb5-fast-otp.html
I haven't set this up yet. However I see it uses the yubico C client library rather than PAM, so I don't think there's a simple hook for adding password prefix checking. If the cloud API did the prefix checking then of course this would just work.

Thanks,

Brian.


Top
 Profile  
Reply with quote  
 Post subject: Re: Pin + YubiKey?
PostPosted: Mon May 28, 2012 4:42 pm 
Offline

Joined: Fri Mar 16, 2012 10:58 am
Posts: 5
FYI, I have added a recipe for configuring 2-factor authentication for freeradius in a comment at the foot of
http://code.google.com/p/yubico-pam/wik ... iusYubiKey

However this still involves keeping a local PIN database in freeradius, and copying it around if you have more than one.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group