Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:25 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Thu Nov 20, 2014 6:29 pm 
Offline

Joined: Thu Nov 20, 2014 2:48 pm
Posts: 2
Hey.

So, I own a couple yubikeys, but only one NEO. Started playing around with that one today and managed to upload some gpg keys, set up ssh authentication using the authentication key and just migrated my Google TFA details to the OATH applet/the yubico authenticator app on Android (or _off_ Android?).

Great stuff. Now I want more.. :)

TOTP seems to be the nicest option (see below for my reasoning). Question time!

- TOTP seems to be supported by the ykneo-oath applet. Is that true or is that applet basically offering challenge/response and the yubico authenticator 'cheats'/provides the time (as in [1])?

- How many secrets can that applet store? If I want lastpass, fastmail, google, random servers of mine .. what's the limit? Tried only one so far, but the limitations would be great to know and define how useful that'd be for my uses.

- Is there a way to expose that otp somehow, with a console app? I'm trying to figure out if I can use 'standard' totp services, store the secret on the yubikey and have a portable 'give me the totp for service "foo"'. Basically the yubico authenticator, but the (Linux) laptop version when I don't have the phone in reach/the battery's dead/I'd like to copy and paste instead of reading off my mobile's screen?

Thanks a lot for your help/input,
Ben

A bit of history/rationale:
Previously I wasn't using it (the NEO, or the previous Yubikeys) for lots of services, because

- OATH was limited to HOTP (vs. TOTP). Requiring a counter doesn't work if you want to access multiple machines/services - you can't keep it in sync. The token itself doesn't support TOTP and the only workaround was something like [1]

- Challenge/Response doesn't work without explicit protocol support (I cannot use that with my mail client for example)

- Yubico OTP is no option - that doesn't work for filtered internet access/intranet services/offline stuff. I tried running my own validation server in the past, but that was quite a challenge.

- I never understood the 'static password' feature, to be honest..

1: https://www.yubico.com/applications/int ... ces/gmail/


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Nov 21, 2014 11:45 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
darklajid wrote:

TOTP seems to be the nicest option (see below for my reasoning). Question time!

- TOTP seems to be supported by the ykneo-oath applet. Is that true or is that applet basically offering challenge/response and the yubico authenticator 'cheats'/provides the time (as in [1])?

No, it is a real OATH applet. Check https://github.com/Yubico/ykneo-oath and read documentation

darklajid wrote:
- How many secrets can that applet store? If I want lastpass, fastmail, google, random servers of mine .. what's the limit? Tried only one so far, but the limitations would be great to know and define how useful that'd be for my uses.

You can have many, I have 50 and there is plenty of space left.

darklajid wrote:
- Is there a way to expose that otp somehow, with a console app? I'm trying to figure out if I can use 'standard' totp services, store the secret on the yubikey and have a portable 'give me the totp for service "foo"'. Basically the yubico authenticator, but the (Linux) laptop version when I don't have the phone in reach/the battery's dead/I'd like to copy and paste instead of reading off my mobile's screen?

check out the yubico authenticator desktop version of the command line client
https://github.com/Yubico/ykneo-oath/bl ... /client.pl

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 21, 2014 12:05 pm 
Offline

Joined: Thu Nov 20, 2014 2:48 pm
Posts: 2
Tom wrote:
darklajid wrote:

TOTP seems to be the nicest option (see below for my reasoning). Question time!

- TOTP seems to be supported by the ykneo-oath applet. Is that true or is that applet basically offering challenge/response and the yubico authenticator 'cheats'/provides the time (as in [1])?

No, it is a real OATH applet. Check https://github.com/Yubico/ykneo-oath and read documentation


Oh. I think I was phrasing my question in a crappy way. Looking at the client.pl now it seems that I was correct with my assumption (needs input/the current time for TOTP, which makes sense: It has no battery or state as far as I'm aware), I was just bad at describing them.

Tom wrote:
darklajid wrote:
- How many secrets can that applet store? If I want lastpass, fastmail, google, random servers of mine .. what's the limit? Tried only one so far, but the limitations would be great to know and define how useful that'd be for my uses.


You can have many, I have 50 and there is plenty of space left.


That's amazing. And this isn't something entirely new, right? neo vs. neo-n are roughly comparable here (I assume you use the latest and greatest, looking at neo-n tokens)?

Tom wrote:
darklajid wrote:
- Is there a way to expose that otp somehow, with a console app? I'm trying to figure out if I can use 'standard' totp services, store the secret on the yubikey and have a portable 'give me the totp for service "foo"'. Basically the yubico authenticator, but the (Linux) laptop version when I don't have the phone in reach/the battery's dead/I'd like to copy and paste instead of reading off my mobile's screen?

check out the yubico authenticator desktop version of the command line client
https://github.com/Yubico/ykneo-oath/bl ... /client.pl


This made my day. Sorry that I missed it earlier, I should have noticed that before. That is _amazing_.
Thanks a lot for your time.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Heise IT-Markt [Crawler] and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group