Yubico Forum
https://forum.yubico.com/

yubipam + authlite with same yubikey profile possible?
https://forum.yubico.com/viewtopic.php?f=16&t=1968
Page 1 of 1

Author:  adrian [ Mon Jul 20, 2015 3:44 pm ]
Post subject:  yubipam + authlite with same yubikey profile possible?

Hi, I hope this is not the totally wrong forum for this question.
I want to use a yubikey to authenticate on Linux against an radius server. This already works.
We also want to authenticate our Windows machines against AD using AuthLite. Unfortunately I was not able to do so using the same profile on the yubikey.
I am configuring my yubikey this way on Linux and insert it into the yubipam configuration:
Code:
# yubikey configuration
uid=$(openssl rand -hex 6)
fixed=$(openssl rand -hex 16 | tr “0-9a-f” “cbdefghijklnrtuv”)
access=$(openssl rand -hex 6 )
ykpersonalize -1 -z
ykpersonalize -1 -oaccess=$access -ofixed=$fixed -ouid=$uid -oappend-cr -o-strong-pw1 -o-strong-pw2 -o-man-update

# yubipam configuration
ykpasswd -a -u $username -k $AES-FROM-ykpersonalize -o $OTP-from-token

# check token
ykvalidate -u $username $OTP-from-token



This works without a problem.
I got some xml files from the workmate that is responsible for the AuthLite/AD integration.
My idea was to extract the data from the xml file and configure it into yubipam.
The xml file looks like this:
Code:
<?xml version="1.0" encoding="utf-8"?>
<AuthLiteData xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schema.collectivesoftware.com/products/authlite/databucket/1.0">
  <Keys>
    <AuthLiteKey>
      <PublicId>65d2a1ce80d50ad8a67b0d705c0acd40</PublicId>
      <PublicIdReadable>2b6858c208d04cb0e7a9f1cea451c120</PublicIdReadable>
      <AesKey>276649e34a78c802975636c0faf9c76f</AesKey>
      <OtpCounter>0</OtpCounter>
      <Timestamp>0</Timestamp>
      <SecretId>89768ac03843</SecretId>
      <SerialNumber>3971014</SerialNumber>
      <OathInterval xsi:nil="true" />
      <OathDrift xsi:nil="true" />
      <CounterUpdateTimestamp>0001-01-01T00:00:00</CounterUpdateTimestamp>
    </AuthLiteKey>
  </Keys>
</AuthLiteData>


I simply assumes AES-key = AES-key and tried to reuse the aes key in yubipam:
Code:
ykpasswd -a -u $username -k $AES-FROM-XMLFILE -o $OTP-from-token

Unfortunately this does not work:
Code:
Adding Yubikey entry for $username
Invalid OTP specified!

The OTP has the same length. The PublicIdReadable from the xml file is the hex representation of the modhex from the key.
This can be checked this way:
Code:
echo $PublicIdReadable-from-xml | tr “0-9a-f” “cbdefghijklnrtuv”


Using the same profile in two authentication systems should work. At least I had no problems authentication against freeradius/yubipam at work and yubipam at home with the same yubikey and same profile.

Please help me.
Best regards.

Author:  ferrix [ Tue Jul 21, 2015 7:17 pm ]
Post subject:  Re: yubipam + authlite with same yubikey profile possible?

I see you also opened a support request at our site, so I'll continue with you over there. I just wanted to post this here in case someone else had the same question.

Your assumption about the AES key is wrong. We encrypt that value for export, mostly for historical reasons.

Anyway, you super should not do the thing you are trying to do. Sharing a single yubikey across more than one authority makes you vulnerable to cross authority replay attacks. If you want to use AD as the central store for your users, AuthLite can do everything and you don't need any of the Yubico software.

If you need to have separate authorities, then you should use separate yubikeys.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/