Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:02 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Thu Nov 06, 2014 11:19 pm 
Offline

Joined: Thu Nov 06, 2014 5:09 pm
Posts: 20
I have a VPN client application which currently supports HOTP and TOTP via oath-toolkit, automatically generating response codes where the VPN server requests them: http://www.infradead.org/openconnect/token.html

I would like to support OATH using Yubikeys too. Do I need to use libykneomgr and construct the traffic myself, having worked out what to send from commands.py and functions.py in yubico_authenticator? Or is there a better way?


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Nov 10, 2014 9:56 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
try the test client here:
https://github.com/Yubico/ykneo-oath

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Wed Nov 12, 2014 2:45 pm 
Offline

Joined: Thu Nov 06, 2014 5:09 pm
Posts: 20
Thanks. As with the python yubico-authenticator, that's kind of useful because it shows the commands to use. However, there are a bunch of things missing from it — like locking with SCardBeginTransaction() when we need to talk to the card, and reselecting the ykneo-oath applet because OpenSC might have been talking to the PIV applet when we come back for a new tokencode. Currently, yubico-authenticator breaks when that happens.

It would be *so* useful if there was a simple library I could use to handle this for me, using something reminiscent of PKCS#11 URIs. So I just have a function which can give me a tokencode for file://home/dwmw2/foo.pskc (updating the counter in the file as appropriate if it's a HOTP token, with file locking done consistently too). Or for yubikey://cardident/objectname for yubikey, for example, without individual applications having to have hardware-specific details.

And while I think of it, wouldn't it be useful if RFC6030 defined a way for a PSKC file to refer to a token's secret key by means of a PKCS#11 URI?
And my hypothetical library (which is actually what oath-toolkit *ought* to provide instead of just the disjoint libpskc and liboath libraries) would Just Work™ with tokens in that form too.

Anyway, I now have OpenConnect authenticating automatically to VPN servers using HOTP/TOTP tokens from a Yubikey NEO (as well as SSL private keys stored therein). There's a little more cleanup to be done, but I've pushed it to http://git.infradead.org/users/dwmw2/op ... ff/c24046b

It's the first time I've ever looked at PC/SC code so I don't claim there's anything particularly competent about it, but if you want to use any of it as the basis for a C library that at *least* supports Yubikey (rather than embarking on the grand plan outlined above), you're welcome to it under LGPLv2 or later.


Top
 Profile  
Reply with quote  
PostPosted: Fri Nov 14, 2014 3:46 pm 
Offline

Joined: Thu Nov 06, 2014 5:09 pm
Posts: 20
Update: I've now pushed this out, and it's documented at http://www.infradead.org/openconnect/token.html

Code at http://git.infradead.org/users/dwmw2/op ... /yubikey.c

Any review comments would be welcome. It would be useful to have a consistent interface for using Yubikey from various applications.

Code:
$ ./openconnect --token-mode yubikey  --token-secret 'rôle ♥ foo' $SERVER

Found ykneo-oath applet v0.2.1.
PIN required for Yubikey OATH applet
Yubikey PIN:<wrong PIN>
Failure response to "unlock command": 6a80
PIN required for Yubikey OATH applet
Yubikey PIN:<correct PIN>
Found TOTP/SHA1 key 'rôle ♥ foo' on 'Yubico Yubikey NEO CCID 00 00'
POST https:/$SERVER/
...
Please enter your username and password.
Username:foo
Password:
Generating Yubikey token code
POST https://$SERVER/+webvpn+/index.html


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group