| Yubico Forum https://forum.yubico.com/ |
|
| [QUESTION] How do I enable YubiOATH in my application https://forum.yubico.com/viewtopic.php?f=26&t=1587 |
Page 1 of 1 |
| Author: | dwmw2 [ Thu Nov 06, 2014 11:19 pm ] |
| Post subject: | [QUESTION] How do I enable YubiOATH in my application |
I have a VPN client application which currently supports HOTP and TOTP via oath-toolkit, automatically generating response codes where the VPN server requests them: http://www.infradead.org/openconnect/token.html I would like to support OATH using Yubikeys too. Do I need to use libykneomgr and construct the traffic myself, having worked out what to send from commands.py and functions.py in yubico_authenticator? Or is there a better way? |
|
| Author: | Tom [ Mon Nov 10, 2014 9:56 am ] |
| Post subject: | Re: [QUESTION] How do I enable YubiOATH in my application |
try the test client here: https://github.com/Yubico/ykneo-oath |
|
| Author: | dwmw2 [ Wed Nov 12, 2014 2:45 pm ] |
| Post subject: | Re: [QUESTION] How do I enable YubiOATH in my application |
Thanks. As with the python yubico-authenticator, that's kind of useful because it shows the commands to use. However, there are a bunch of things missing from it — like locking with SCardBeginTransaction() when we need to talk to the card, and reselecting the ykneo-oath applet because OpenSC might have been talking to the PIV applet when we come back for a new tokencode. Currently, yubico-authenticator breaks when that happens. It would be *so* useful if there was a simple library I could use to handle this for me, using something reminiscent of PKCS#11 URIs. So I just have a function which can give me a tokencode for file://home/dwmw2/foo.pskc (updating the counter in the file as appropriate if it's a HOTP token, with file locking done consistently too). Or for yubikey://cardident/objectname for yubikey, for example, without individual applications having to have hardware-specific details. And while I think of it, wouldn't it be useful if RFC6030 defined a way for a PSKC file to refer to a token's secret key by means of a PKCS#11 URI? And my hypothetical library (which is actually what oath-toolkit *ought* to provide instead of just the disjoint libpskc and liboath libraries) would Just Work™ with tokens in that form too. Anyway, I now have OpenConnect authenticating automatically to VPN servers using HOTP/TOTP tokens from a Yubikey NEO (as well as SSL private keys stored therein). There's a little more cleanup to be done, but I've pushed it to http://git.infradead.org/users/dwmw2/op ... ff/c24046b It's the first time I've ever looked at PC/SC code so I don't claim there's anything particularly competent about it, but if you want to use any of it as the basis for a C library that at *least* supports Yubikey (rather than embarking on the grand plan outlined above), you're welcome to it under LGPLv2 or later. |
|
| Author: | dwmw2 [ Fri Nov 14, 2014 3:46 pm ] |
| Post subject: | Re: [QUESTION] How do I enable YubiOATH in my application |
Update: I've now pushed this out, and it's documented at http://www.infradead.org/openconnect/token.html Code at http://git.infradead.org/users/dwmw2/op ... /yubikey.c Any review comments would be welcome. It would be useful to have a consistent interface for using Yubikey from various applications. Code: $ ./openconnect --token-mode yubikey --token-secret 'rôle ♥ foo' $SERVER
Found ykneo-oath applet v0.2.1. PIN required for Yubikey OATH applet Yubikey PIN:<wrong PIN> Failure response to "unlock command": 6a80 PIN required for Yubikey OATH applet Yubikey PIN:<correct PIN> Found TOTP/SHA1 key 'rôle ♥ foo' on 'Yubico Yubikey NEO CCID 00 00' POST https:/$SERVER/ ... Please enter your username and password. Username:foo Password: Generating Yubikey token code POST https://$SERVER/+webvpn+/index.html |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|