Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:06 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Offline Authentication
PostPosted: Tue Jul 01, 2008 7:35 am 
Offline
User avatar

Joined: Mon Jun 23, 2008 1:19 am
Posts: 12
A few mates and I were planning to use the Yubikey to authenticate a network of ours on a locally administered server. However, the current PAM implementation still requires the web API to authenticate.

Our intention is to build a localised PAM implementation for the Yubikey and are curious if there is any interest for an authentication system that does not require access to the internet. Our intention is to have central administration for updating, managing and processing Yubikey's as soon as a Linux variant of the config tool is finalised.

If it works as expected we will most likely build a GINA version for NT/2000/XP variants.

_________________
http://www.securixlive.com/yubipam


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jul 01, 2008 11:27 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
firnsy wrote:
A few mates and I were planning to use the Yubikey to authenticate a network of ours on a locally administered server. However, the current PAM implementation still requires the web API to authenticate.

Our intention is to build a localised PAM implementation for the Yubikey and are curious if there is any interest for an authentication system that does not require access to the internet. Our intention is to have central administration for updating, managing and processing Yubikey's as soon as a Linux variant of the config tool is finalised.

If it works as expected we will most likely build a GINA version for NT/2000/XP variants.


A variant of the PAM module to support local AES key lookups is a todo item, and I'll probably work on it relatively soon.

However, if you have several machines, you probably want to set up your local server instead of using api.yubico.com. Did you see our java server? There are also at least two PHP servers posted here on the forum, they should also work.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Tue Jul 01, 2008 12:47 pm 
Offline
User avatar

Joined: Mon Jun 23, 2008 1:19 am
Posts: 12
Simon wrote:
A variant of the PAM module to support local AES key lookups is a todo item, and I'll probably work on it relatively soon.

However, if you have several machines, you probably want to set up your local server instead of using api.yubico.com. Did you see our java server? There are also at least two PHP servers posted here on the forum, they should also work.

/Simon


Cool.

Yeah I've looked at every bit of available source to do with the Yubikey and they all provide excellent references. Our authentication requirements are from initial logon and require PAM compatibility so the Java server won't suffice in this situation.

The specs we would be looking at implementing are:
    1. minimalist database backend tracking public id, AES key
    2. per user settings tracking private id and previous logon times
    3. usb event actions on (detection yubikey insert and removal)
    4. adminstration tool for coding a yubikey whilst syncing with the user database

If there is an available linux config tool for testing we would be happy to assist.

_________________
http://www.securixlive.com/yubipam


Top
 Profile  
Reply with quote  
PostPosted: Wed Jul 02, 2008 2:55 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
firnsy wrote:
Simon wrote:
A variant of the PAM module to support local AES key lookups is a todo item, and I'll probably work on it relatively soon.

However, if you have several machines, you probably want to set up your local server instead of using api.yubico.com. Did you see our java server? There are also at least two PHP servers posted here on the forum, they should also work.

/Simon


Cool.

Yeah I've looked at every bit of available source to do with the Yubikey and they all provide excellent references. Our authentication requirements are from initial logon and require PAM compatibility so the Java server won't suffice in this situation.

The specs we would be looking at implementing are:
    1. minimalist database backend tracking public id, AES key
    2. per user settings tracking private id and previous logon times
    3. usb event actions on (detection yubikey insert and removal)
    4. adminstration tool for coding a yubikey whilst syncing with the user database

If there is an available linux config tool for testing we would be happy to assist.


I think the PAM module should be enhanced with AES-decryption capabilities, and a small database. That would solve your 1 and 2.

For 3, just check for the yubikey usb id's in the output from e.g. 'lsusb'.

Regarding 4, we have some Windows LibUSB based code to program a new AES key available:

http://code.google.com/p/yubico-usb-win32/

We haven't made the code public yet, so don't tell anyone. :)

It is possible to get this code running under linux, but for some reason in order to avoid problem with an exclusive lock from the 'usbhid' driver you will need to re-load the usb drivers if you want to program a new AES key:

Code:
rmmod usbhid && modprobe usbhid quirks=0x1050:0x0010:0x04


Either the code should be merged into 'yubico-c' or a separate project should be started, with some more linux-friendly makefiles and build scripts. There a few minor flaws in the published code, but you'll notice them for yourself.

Thanks,
Simon


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group