Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 1:07 pm

All times are UTC + 1 hour

Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Mon Jul 20, 2015 3:44 pm 

Joined: Mon Jul 20, 2015 3:09 pm
Posts: 1
Hi, I hope this is not the totally wrong forum for this question.
I want to use a yubikey to authenticate on Linux against an radius server. This already works.
We also want to authenticate our Windows machines against AD using AuthLite. Unfortunately I was not able to do so using the same profile on the yubikey.
I am configuring my yubikey this way on Linux and insert it into the yubipam configuration:
# yubikey configuration
uid=$(openssl rand -hex 6)
fixed=$(openssl rand -hex 16 | tr “0-9a-f” “cbdefghijklnrtuv”)
access=$(openssl rand -hex 6 )
ykpersonalize -1 -z
ykpersonalize -1 -oaccess=$access -ofixed=$fixed -ouid=$uid -oappend-cr -o-strong-pw1 -o-strong-pw2 -o-man-update

# yubipam configuration
ykpasswd -a -u $username -k $AES-FROM-ykpersonalize -o $OTP-from-token

# check token
ykvalidate -u $username $OTP-from-token

This works without a problem.
I got some xml files from the workmate that is responsible for the AuthLite/AD integration.
My idea was to extract the data from the xml file and configure it into yubipam.
The xml file looks like this:
<?xml version="1.0" encoding="utf-8"?>
<AuthLiteData xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schema.collectivesoftware.com/products/authlite/databucket/1.0">
      <OathInterval xsi:nil="true" />
      <OathDrift xsi:nil="true" />

I simply assumes AES-key = AES-key and tried to reuse the aes key in yubipam:
ykpasswd -a -u $username -k $AES-FROM-XMLFILE -o $OTP-from-token

Unfortunately this does not work:
Adding Yubikey entry for $username
Invalid OTP specified!

The OTP has the same length. The PublicIdReadable from the xml file is the hex representation of the modhex from the key.
This can be checked this way:
echo $PublicIdReadable-from-xml | tr “0-9a-f” “cbdefghijklnrtuv”

Using the same profile in two authentication systems should work. At least I had no problems authentication against freeradius/yubipam at work and yubipam at home with the same yubikey and same profile.

Please help me.
Best regards.

Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jul 21, 2015 7:17 pm 

Joined: Fri Jun 20, 2008 2:59 am
Posts: 84
I see you also opened a support request at our site, so I'll continue with you over there. I just wanted to post this here in case someone else had the same question.

Your assumption about the AES key is wrong. We encrypt that value for export, mostly for historical reasons.

Anyway, you super should not do the thing you are trying to do. Sharing a single yubikey across more than one authority makes you vulnerable to cross authority replay attacks. If you want to use AD as the central store for your users, AuthLite can do everything and you don't need any of the Yubico software.

If you need to have separate authorities, then you should use separate yubikeys.

Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour

Who is online

Users browsing this forum: No registered users and 5 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group