Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 9:38 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Sat Apr 25, 2015 5:15 pm 
Offline

Joined: Sat Apr 25, 2015 4:42 pm
Posts: 3
Hello,
I just recevied my yubikey neo some days ago and tried to used it today. The demo page "demo.yubico.com/start/u2f" apprears to work correctly.
However, trying to activate it for the joomla 3 administartor page hasn't succeeded yet. I've googled and searched the forum but couldn't find a working solution yet.
My approach:
- installing the chrome plugin requested on the U2F demoe page.
- running the U2F demo page (works).
- Logging in as admin to the joomla backend.
- enabling "Two Factor Authentication - Yubikey"
- disabling "Authentication - Joomla", "Authentication Gmail", "Authentication Cookie", "Authentication - LDAP" and "Two Factor Authetication - Google Authenticator"
- opening the user manager "Two Factor Authentication" tab
- Choosing "Yubikey"
- clicking on the "Secutiry Code" textfield
- pushing the Yukikey touch area on the USB stick for ca 1 second.
- clicking on the save button.

The browser then hangs on a whitepage forever. When after a while, trying to manually reload the page I get an error message on the screen:
"Error
You did not enter a valid YubiKey secret code or the YubiCloud servers are unreachable at this time."

and when logging out of joomla and trying to log back in I get this error message:
"Warning
JAuthentication: :__construct: Could not load authentication libraries."

The only way to fix it is to re-enable joomla authentication in mysql.

Now, I guess that this is a joomla related question. But not 100% so I though I start by asking here if the proceedure is done correct by me or if I'm missing something. There are several user guides on the web and I tried to follow them, but none made the login work correctly.

My setup:
Windows 8.1
Google chrome Version 42.0.2311.90 m
Joomla 3.4.1 (running on Centos 7.1)
Port 80 and 443 are open and routed to the webserver and the iptables are opened for these two ports. (not sure if 443 is really needed).
The administrator page is limited to some IP addresses. However I'm testing from a system with a valid IP.

Appriciate any suggestions.

Kind Regards,

Gery


Last edited by crashdog on Sun Apr 26, 2015 7:49 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Joomla 3 and yubikey
PostPosted: Sat Apr 25, 2015 6:13 pm 
Offline

Joined: Fri Apr 24, 2015 1:15 pm
Posts: 3
crashdog wrote:
Hello,
I just recevied my yubikey neo some days ago and tried to used it today. The demo page "demo.yubico.com/start/u2f" apprears to work correctly.
However, trying to activate it for the joomla 3 administartor page hasn't succeeded yet. I've googled and searched the forum but couldn't find a working solution yet.
My approach:
- installing the chrome plugin requested on the U2F demoe page.
- running the U2F demo page (works).
- Logging in as admin to the joomla backend.
- enabling "Two Factor Authentication - Yubikey"
- disabling "Authentication - Joomla", "Authentication Gmail", "Authentication Cookie", "Authentication - LDAP" and "Two Factor Authetication - Google Authenticator"
- opening the user manager "Two Factor Authentication" tab
- Choosing "Yubikey"
- clicking on the "Secutiry Code" textfield
- pushing the Yukikey touch area on the USB stick for ca 1 second.
- clicking on the save button.

The browser then hangs on a whitepage forever. When after a while, trying to manually reload the page I get an error message on the screen:
"Error
You did not enter a valid YubiKey secret code or the YubiCloud servers are unreachable at this time."

and when logging out of joomla and trying to log back in I get this error message:
"Warning
JAuthentication: :__construct: Could not load authentication libraries."

The only way to fix it is to re-enable joomla authentication in mysql.


Haven't worked in Joomla since the 1.x days... my life is pretty much 100% Drupal... but I'll take a stab. I'm cribbing from this blog post, which seems fairly current.

First... My understanding is (and, again, more knowledgeable Joomla people can help me out) is that the normal YubiKey Two Factor Authentication in Joomla uses the classic YubiKey One Time Password (Classic OTP) codes. Classic OTP codes look like "cccjgjgkhcbbirdrfdnlnghhfgrtnnlgedjlftrbdeut". This is not Fido U2F. I think there are Fido U2F modules out there in beta, but the normal Joomla one is Classic OTP. Your description leads me to think you're dealing with the Classic OTP in Joomla.

Your Neo does both U2F and classic OTP (and much more). Verify the classic mode here.

Second... the YubiKey is (almost always) a "second factor in authentication", not an authentication system in itself. You'll still normally have a name and password... the YubiKey is additional. You probably will want to leave "Authentication - Joomla" on (and probably "Authentication cookie" too). It is conceivable to set up an authentication system where you don't type in any username or password... the YubiKey is the only method of authentication. This is almost certainly not what you are wanting and is probably not something the Joomla module allows.

Third, if you do go the YubiKey Classic OTP route with validation by YubiCo's free validation service (which is probably what you're looking for), you'll have one more step. You need to request an "API ID/Secret Key" from YubiCo. This is just a key to verify that you aren't using their validation service maliciously. You'll probably have to copy the API ID/Key you get from YubiCo into your Joomla setup (Plugin Manager > Authentication - Yubikey ???).

One advantage of Classic OTP over Fido U2F... it will work on any system (since it's just emulating a USB keyboard), not just Chrome with the plugin. In a few years I expect the newer Fido 2FA to be very common in Joomla/Drupal/WordPress installs (and work in more browsers), but nothing is wrong with using the classic OTP for now.


Top
 Profile  
Reply with quote  
 Post subject: Re: Joomla 3 and yubikey
PostPosted: Sun Apr 26, 2015 12:51 pm 
Offline

Joined: Sat Apr 25, 2015 4:42 pm
Posts: 3
Hello,
thank you for those hints.
yes you're right, it's classic OTP that I'm using not U2F. I wasn't aware of the difference. I've looked at and tried the "http://www.dart-creations.com/joomla/joomla-tutorials/enabling-and-using-joomla-two-factor-authentication.html" how to. It's a bit confusing as this appears to be aimed at joomla 2.5 users that don't have a native support for the Yubikey. Following that descriptions gives me a "404 component not found" when trying to open the "Yubikey Authentification" from the component menu. Eventhough I got "installation successful"l from the install manager. The plugin is also enabled and correctly configured with the API ID and secret key.
From what I understand the "Yubikey plugins" take over the functionality of handling all login (also default, none OTP etc.) and the default Joomla authentification should therefore be dissabled (Step 8 in the blog- howto above).

To summarise my situation:
-> When trying the Joomla 3 buildin "Two Factor Authentication - Yubikey" pluigin. It hangs when trying to save the user after entering the security code.
-> When trying the google plugin and component https://code.google.com/p/joomla-yubikey-authentication/downloads/list I can enter the API ID and secret key but get an error 404 when trying to access the component.
-> Also tried following these instructions https://www.youtube.com/watch?v=Uur6HMDbAnc , http://www.joomlablogger.net/joomla-tutorials/joomla-core-tutorials/two-factor-authentication-joomla-yubikey

Regards,
Gery


Top
 Profile  
Reply with quote  
PostPosted: Sun Apr 26, 2015 7:52 pm 
Offline

Joined: Sat Apr 25, 2015 4:42 pm
Posts: 3
ok, the issue was that the PHP mcrypt module was missing in my Centos 7 LAMP installation.

-> For this case:
-> sudo yum install php-mcrypt -y
-> alter php.ini to include extension=mcrypt.so
-> systemctrl restart httpd
-> Proceed in joomla like described in the user guides above to enable two way authentification.

Cheers,

Gery


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: Google [Bot] and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group