Yubico Forum

Hello everyone... I downloaded the PHP class from here https://code.google.com/p/php-yubico/ to go with my Yubi Standard key.

Now I am just a sys admin and by no means any PHP guru, but i need to install a basic auth demo for the dev guys to test with.

So i unpacked this demo package on a Linux server, setup the MySQL database imported db.sql and created a user and pass for database access. I then put this info in the config.php file

Now i go to the index.html page click on "Set username and password for this demo"
enter is a simple user and pass, press the Yubi key and in return i get a page that just says "Set username/password for demo"
Nothing get entered in to the database, I tested db connectivity and its fine.. as we have other apps that use php and mysql on this dev server...

even the simple One factor yubi key only fails with "Demo YubiKey only"
Any suggestions?

Thanks..

Rob..
Montreal, Canada

Hello Rob,

I'll try to help you out but first i need you to clarify what are you trying to do because i am not sure i get it.

If you want to test you Yubikeys, you simply visit http://demo.yubico.com/ and emit one OTP.
Username and Password for the dame pages are just placeholders text areas they do not mean anything.

The purpose is to show you how to use YubiCloud to verify the OTP emitted by the Yubikey.


This code snipped will help you understand how to verify the user-submitted OTP:





Please if this is not clear clarify what are you trying to achieve and what step did you follow from the INSTALLATION tutorial on github.

https://github.com/Yubico/php-yubico

_________________
-Tom

Hey Tom, thanks for your prompt reply. Sorry if i was not clear enough.
I am trying to setup an auth page like you have on your demo site for our CMS on our dev server that will use the same method as your two factor auth scheme with user/password with the Yubi key

So i downloaded the PHP package which has the same files as your online demo, but just could not get that demo to work on our dev server. We want to protect a couple of CMS sites that we have and want to auth against the Yubi key with a username and password. Before i approach the dev guys i wanted to get a demo on our servers working to show them. Our end result is to give Yubi keys to all our customer service reps in house and abroad to auth on our CMS from anywhere using user/pass and the Yubi key

I hope i am a bit clearer?

Thanks..

Rob

Hello,

First a simple clarification, you do not authenticate against the Yubikey. You authenticate against the YubiCloud.

The Yubikey generates an OTP, which is sent via a web-request to the YubiCloud. The YubiCloud needs to validate the OTP and will return OK or an ERROR of some kind. This implies that you must be able to reach our API servers from your network (where the CMS is).

What is an OTP?
An OTP is a One Time Password generated following some kind of algorithm. The characteristic of Yubico's OTP is that the first 12 characters of the OTP identify the specific device. Those first 12 chars are namely, the device "public_id"

Now, let's say that you have a database with 1 user: Alice.
What you need to do, is to add a column to your user table called, "device_id" (or something meaningful). Now, at your login page, use some HTML to create a new text area. Call this field OTP and pass it to the PHP function that i have pasted in the previous post. Next time Alice will try to login, she will have to provide username, password and the OTP generated from the Yubikey.

At this point in time you will have 3 information
username
password
OTP

extract the first 12 characters from the OTP, and check if there is a match in the DB for that id. If the ID is associated with Alice, then proceed to the OTP verification verify->$otp
If you will get an OK response, proceed with the normal log-in, verify the password and let the user in.

This is an example of how you can use the Yubikey for T-FA with PHP and CMS. The only thing left to do is to install the Yubico-php module via PEAR as described in the git-hub tutorial. If you want to validate locally you will need to install the Yubico valdiation server and configure the Yubikey accordingly / see documentation on yubico.com/documentation


Database example

user_table:
user_id | username | salted_hash(password) | device_id

query:
is "device_id" associated with "username" ?
|
-----> yes: validate otp, validate password
or
-----> no: tell the user that something was wrong

_________________
-Tom