Yubico Forum

I know with RSA, you can enter a pin and then enter your key from your RSA token. I'm wondering if this can be done with the Yubikey for my VPN.

The way I imagine this would work is to have my Yubikey not enter the Public Identity. This would force my users to type the Public Identity before pressing the button on the Yubikey.

Any other thoughts?

If your able to adjust the authentication, it should be simple to address.

I'm assuming there is one password field? If so, have the user enter their pin and then press the yubikey button. On the backend, split the string and process the last 44 characters as the yubikey and the first for the pin (most likely ends up processing to make sure the pin is correct, then the yubikey is assigned to the account and finally authenticating the OTP portion of the key (either via Yubico's authentication servers or your own depending on your setup)).

I know with the Yubikey PAM module this is how it functions (if you elect to set it up as such).

Since Yubico make such a big deal of providing "two-factor authentication" (e.g. http://www.yubico.com/yubikey ), it seems strange that it's not implemented centrally.

If I understand this right: every application which wants to use two factor authentication - like this forum for example - has to (a) keep its own local database of passwords, or access some shared internal database; and (b) either prompt for the password separately, or split the entered code into password prefix + OTP suffix, and validate them both.

ISTM there would be value in providing this service centrally, i.e. be able to configure a password prefix for your token, which the cloud auth service checks on each auth, and being able to change it online. However, care would be required that the API keys are being used properly to protect the password in transit; and there would have to be some sort of password recovery process (perhaps linked to a master key, like yubirevoke)

The stripping and checking of password prefix could be requested by a flag at API call time, so that applications which want to check *only* the yubikey response can continue to do so.

Has this idea been considered and discounted?

Another option would be modifying pam_yubico to have a password prefix for each user (either in the yubikey_mappings file or in LDAP), which would at least support those applications which use PAM.

I have two particular applications in mind:

(1) RADIUS. I have freeradius up and running doing basic yubikey auth for VPN authorization. For 2-factor auth I'll have to configure it to split the User-Password into prefix + 44 char suffix (doable with regexp match), then check the prefix against a local file before using auth_pam. (Actually it's possible to require both auth_pam and auth_pap using configurable failover, but I think they both check the same User-Password attribute). This is rather fiddly though.

(2) Kerberos with Yubikey preauth:
https://www.nordu.net/~linus/INSTALL-krb5-fast-otp.html
I haven't set this up yet. However I see it uses the yubico C client library rather than PAM, so I don't think there's a simple hook for adding password prefix checking. If the cloud API did the prefix checking then of course this would just work.

Thanks,

Brian.

FYI, I have added a recipe for configuring 2-factor authentication for freeradius in a comment at the foot of
http://code.google.com/p/yubico-pam/wik ... iusYubiKey

However this still involves keeping a local PIN database in freeradius, and copying it around if you have more than one.