Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:33 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Thu Nov 20, 2008 6:53 pm 
Offline

Joined: Thu Nov 20, 2008 6:29 pm
Posts: 1
Hi guys,

I'm evaluating Yubikeys for our organization. The price is right, and we use open source widely so it fits right in there. However I must say that we've been a bit....disappointed on the software and documentation side....on pushing Yubikeys into organizations, the whole thing still seems to be in a very early phase (seems like it's written by programmers for programmers :). Besides that the solution looks very simple and very solid. I think that once all of this is done I can contribute a guide to how we got it all set up (if that does happen :cry: )....

Which leads me to the problem. We've set up a server, installed Ubuntu 8.10, Apache2, php5, yubiphpbase, pubico-php-lib, the php webservices and the YMS. The docs were a bit confusing but I think we got this figured out.

So next, we downloaded the personalization utility, and tried using it (used both the MFC version and the HTML version). It took some time to figure out what was what, but the included PDF was somewhat helpful (not nearly enough examples). For the static ID and UID we used the device ID of the key converted into hex ("9725b3ed678e", we also tried with a randomly generated hex number...as the docs made it seem like either would work). Then we entered in a generated AES key ("c7038b85de5f8bc0760c016741e3a23d"). We had debugging on and everything looked good. We pressed the ykProgram button and got the text "Program completed. Kill=0, rc=0". Looking at the code, RC of 0 looks like the OK code. So it looks like the reprogramming went through (at the very least, changes to the flags seemed to stick).

So, next we had to hack YMS a bit as it had "api.yubico.com" hardcoded a few places, etc. Once that was done, we go to our OTP server web service: http://otp.corp.XXXX.XXX/wsapi/verify_d ... bvcntcigdg

After I added some custom debug printouts, we get the following:
Code:
<p>Debug> aes key in modhex = ienteivbnvekiguugvvbniefuvltbrtegunnueginihnhttt
<p>Debug> aes key in hex = [s½7ñ¿9uî_ñ·4ï­Ó^»ãW·kmÝ], length = 24  <<<MY NOTE: This isn't hex...typo? We enabled this debug print in the code.>>>
<p>Debug> From the OTP validation request:
array(10) {
  ["public_id"]=>
  string(12) "kidgneuthiju"
  ["token"]=>
  string(32) "7735f9a3ca8fe3862bc18afba91ef0c3"
  ["private_id"]=>
  string(12) "7735f9a3ca8f"
  ["session_counter"]=>
  int(34531)
  ["low"]=>
  int(49451)
  ["high"]=>
  int(138)
  ["session_use"]=>
  int(251)
  ["crc"]=>
  int(50160)
  ["timestamp"]=>
  int(9093419)
  ["counter"]=>
  int(8840187)
}
<p>Debug> decoded array:

<p>Debug> 2
status=BAD_OTP
info=kidgneuthijulgrhkveidkcnrcncgtbcdubvcntcigdg
t=2008-11-20T17:27:27Z0
<p>Debug> SIGN: info=kidgneuthijulgrhkveidkcnrcncgtbcdubvcntcigdg&status=BAD_OTP&t=2008-11-20T17:27:27Z0
h=kX+T2pOMHOaQKQ5wzAoRtazeZew=


Ok so it looked like things failed at CRC validation.

Not really sure what is going on here. If the key was reprogrammed correctly this should work. I believe we entered in everything correctly into the DB when setting up the yubiphpbase library. Here's what we have:

After running util.php:

root@otpauth1:/var/www/yubiphpbase# php utils.php

Code:
API Key: nox8sOeQ/IbfiX+qX60yT/k6lyk=
PIN: 2323, Encrypted PIN: b6CsxYb7CGrVkLagsglQlA==
TokenID (b64-encoded): lyWz7WeO
PIN: 2323


Here's our dump of the database:

Code:
-- MySQL dump 10.11
--
-- Host: localhost    Database: yubico
-- ------------------------------------------------------
-- Server version       5.0.67-0ubuntu6

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `admin`
--

DROP TABLE IF EXISTS `admin`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `admin` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `keyid` int(11) NOT NULL default '0',
  `note` varchar(45) default NULL,
  `pin` varchar(120) default NULL,
  `last_access` datetime default NULL,
  `ip` varchar(45) default NULL,
  `creation` datetime default NULL,
  `client` int(11) NOT NULL default '0',
  `timeout` int(10) unsigned NOT NULL default '3600',
  PRIMARY KEY  (`id`),
  KEY `FK_admin_2` (`keyid`),
  KEY `FK_admin_1` (`client`),
  CONSTRAINT `FK_admin_1` FOREIGN KEY (`client`) REFERENCES `clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE,
  CONSTRAINT `FK_admin_2` FOREIGN KEY (`keyid`) REFERENCES `yubikeys` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=33 DEFAULT CHARSET=latin1;
SET character_set_client = @saved_cs_client;

--
-- Dumping data for table `admin`
--

LOCK TABLES `admin` WRITE;
/*!40000 ALTER TABLE `admin` DISABLE KEYS */;
INSERT INTO `admin` VALUES (1,1,'Root Key','b6CsxYb7CGrVkLagsglQlA==','2008-08-07 21:27:51','192.168.1.100','2008-08-07 21:27:51',1,3600);
/*!40000 ALTER TABLE `admin` ENABLE KEYS */;
UNLOCK TABLES;

--
-- Table structure for table `buyers`
--

DROP TABLE IF EXISTS `buyers`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `buyers` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `email` varchar(100) default NULL,
  `created` datetime default NULL,
  `addr` varchar(200) default NULL,
  `qty` int(10) unsigned default NULL,
  `client_id` int(11) NOT NULL default '0',
  `name` varchar(45) default NULL,
  PRIMARY KEY  (`id`),
  KEY `FK_client_id_1` USING BTREE (`client_id`),
  CONSTRAINT `FK_client_info_1` FOREIGN KEY (`client_id`) REFERENCES `clients` (`id`) ON DELETE CASCADE ON UPDATE CASCADE
) ENGINE=InnoDB AUTO_INCREMENT=2201 DEFAULT CHARSET=latin1;
SET character_set_client = @saved_cs_client;

--
-- Dumping data for table `buyers`
--

LOCK TABLES `buyers` WRITE;
/*!40000 ALTER TABLE `buyers` DISABLE KEYS */;
/*!40000 ALTER TABLE `buyers` ENABLE KEYS */;
UNLOCK TABLES;

--
-- Table structure for table `clients`
--

DROP TABLE IF EXISTS `clients`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `clients` (
  `id` int(11) NOT NULL auto_increment,
  `perm_id` int(11) default NULL,
  `active` tinyint(1) default NULL,
  `created` datetime NOT NULL default '0000-00-00 00:00:00',
  `email` varchar(255) NOT NULL default '',
  `secret` varchar(60) NOT NULL default '',
  `notes` varchar(100) default NULL,
  `chk_sig` tinyint(1) NOT NULL default '0',
  `chk_owner` tinyint(1) NOT NULL default '0',
  PRIMARY KEY  (`id`),
  UNIQUE KEY `email` (`email`),
  KEY `perm_id` (`perm_id`),
  CONSTRAINT `clients_ibfk_1` FOREIGN KEY (`perm_id`) REFERENCES `perms` (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=1678 DEFAULT CHARSET=latin1;
SET character_set_client = @saved_cs_client;

--
-- Dumping data for table `clients`
--

LOCK TABLES `clients` WRITE;
/*!40000 ALTER TABLE `clients` DISABLE KEYS */;
INSERT INTO `clients` VALUES (1,1,1,'1970-01-01 00:00:00','robbyd@corp.XXXX.XXX','xzRQUxLdkjnJrJ8ycHsT1/OEjXw=','Robby Dermody',0,0);
/*!40000 ALTER TABLE `clients` ENABLE KEYS */;
UNLOCK TABLES;

--
-- Table structure for table `history`
--

DROP TABLE IF EXISTS `history`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `history` (
  `id` int(10) unsigned NOT NULL auto_increment,
  `usrid` int(10) unsigned NOT NULL default '0',
  `note` varchar(45) NOT NULL default '',
  `ip` varchar(45) NOT NULL default '',
  `creation` datetime NOT NULL default '0000-00-00 00:00:00',
  `keyid` int(10) unsigned NOT NULL default '0',
  PRIMARY KEY  (`id`),
  KEY `FK_hist_1` (`usrid`)
) ENGINE=InnoDB AUTO_INCREMENT=347 DEFAULT CHARSET=latin1;
SET character_set_client = @saved_cs_client;

--
-- Dumping data for table `history`
--

LOCK TABLES `history` WRITE;
/*!40000 ALTER TABLE `history` DISABLE KEYS */;
/*!40000 ALTER TABLE `history` ENABLE KEYS */;
UNLOCK TABLES;

--
-- Table structure for table `perms`
--

DROP TABLE IF EXISTS `perms`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `perms` (
  `id` int(11) NOT NULL auto_increment,
  `verify_otp` tinyint(1) default '0',
  `add_clients` tinyint(1) default '0',
  `delete_clients` tinyint(1) default '0',
  `add_keys` tinyint(1) default '0',
  `delete_keys` tinyint(1) default '0',
  PRIMARY KEY  (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=4 DEFAULT CHARSET=latin1;
SET character_set_client = @saved_cs_client;

--
-- Dumping data for table `perms`
--

LOCK TABLES `perms` WRITE;
/*!40000 ALTER TABLE `perms` DISABLE KEYS */;
INSERT INTO `perms` VALUES (1,1,1,1,1,1),(2,1,0,0,1,1),(3,1,0,0,0,0);
/*!40000 ALTER TABLE `perms` ENABLE KEYS */;
UNLOCK TABLES;

--
-- Table structure for table `yubikeys`
--

DROP TABLE IF EXISTS `yubikeys`;
SET @saved_cs_client     = @@character_set_client;
SET character_set_client = utf8;
CREATE TABLE `yubikeys` (
  `id` int(11) NOT NULL auto_increment,
  `client_id` int(11) NOT NULL default '0',
  `active` tinyint(1) default NULL,
  `created` datetime NOT NULL default '0000-00-00 00:00:00',
  `accessed` datetime default NULL,
  `tokenId` varchar(60) character set latin1 collate latin1_bin default NULL,
  `userId` varchar(60) NOT NULL default '',
  `secret` varchar(60) NOT NULL default '',
  `counter` int(11) default NULL,
  `low` int(11) default NULL,
  `high` int(11) default NULL,
  `notes` varchar(100) default NULL,
  PRIMARY KEY  (`id`),
  UNIQUE KEY `userId` (`userId`),
  UNIQUE KEY `tokenId` (`tokenId`),
  KEY `client_id` (`client_id`)
) ENGINE=InnoDB AUTO_INCREMENT=4541 DEFAULT CHARSET=latin1;
SET character_set_client = @saved_cs_client;

--
-- Dumping data for table `yubikeys`
--

LOCK TABLES `yubikeys` WRITE;
/*!40000 ALTER TABLE `yubikeys` DISABLE KEYS */;
INSERT INTO `yubikeys` VALUES (1,1,1,'2008-10-03 16:11:50','2008-10-22 22:08:18','lyWz7WeO','hX+j1RaP','c7038b85de5f8bc0760c016741e3a23d',0,0,0,'Robby Dermody');
/*!40000 ALTER TABLE `yubikeys` ENABLE KEYS */;
UNLOCK TABLES;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2008-11-20 17:46:16



Any help would be GREATLY appreciated. We'd really like to start using Yubikeys.

Robby


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Mon Nov 24, 2008 3:22 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We are working on a new version of the personalization tool which is scheduled to be released by mid next week that will probably make it easier to program the YubiKeys. We will test the exact configuration and will update you asap.


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 27, 2008 12:03 pm 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
This looks like a rather low-level problem and possibly an incorrect AES key? Try using our command line tools to decrypt OTPs:

http://code.google.com/p/yubico-c/

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Tue Dec 09, 2008 3:46 pm 
Offline

Joined: Tue Dec 09, 2008 3:29 pm
Posts: 1
I have a very similar problem....

ykdebug says:

$ ./ykdebug uubgvivdgkuebejhkhtjuufrebjvftrc hbhdhehfhghhlbhctufkdbkglclthjrdrhvnvvhnlhbu
warning: overlong token, ignoring prefix: hbhdhehfhghh
Input:
token: lbhctufkdbkglclthjrdrhvnvvhnlhbu
a1 60 de 49 21 95 a0 ad 68 c2 c6 fb ff 6b a6 1e
aeskey: uubgvivdgkuebejhkhtjuufrebjvftrc
ee 15 f7 f2 59 e3 13 86 96 d8 ee 4c 31 8f 4d c0
Output:
61 62 63 64 65 66 01 00 c9 68 ce 01 48 74 41 98

Struct:
uid: 61 62 63 64 65 66
counter: 1 (0x0001)
timestamp (low): 26825 (0x68c9)
timestamp (high): 206 (0xce)
session use: 1 (0x01)
random: 29768 (0x7448)
crc: 38977 (0x9841)

Derived:
cleaned counter: 1 (0x0001)
modhex uid: hbhdhehfhghh
triggered by caps lock: no
crc: F0B8
crc check: ok

so everything seems ok from ykdebug....
yubikey-val-server/validate_debug.php says:

<p>Debug> OTP validation req:
Sess ctr=56262
TS lo=64964
TS hi=32
Use=158
Rand=41782
CRC=62650
Timestamp=2162116
Calculated CRC=50232
Bad CRC
<p>Debug> 2
status=BAD_OTP
info=hbhdhehfhghhlbhctufkdbkglclthjrdrhvnvvhnlhbu
t=2008-12-09T14:44:27
<p>Debug> SIGN: info=hbhdhehfhghhlbhctufkdbkglclthjrdrhvnvvhnlhbu&status=BAD_OTP&t=2008-12-09T14:44:27
h=WdW8Fxj9u7a3SAFfDyAICGS+ADQ=

So seems to be a CRC error...

The database contains:

mysql> select * from clients;
+----+---------+--------+---------------------+------------------+--------------------------+-------+---------+-----------+----------+
| id | perm_id | active | created | email | secret | notes | chk_sig | chk_owner | chk_time |
+----+---------+--------+---------------------+------------------+--------------------------+-------+---------+-----------+----------+
| 1 | 1 | 1 | 1970-01-01 00:00:00 | bert64@test.com | YCY7zeftvHh13s52Xs6H1w== | NULL | 0 | 0 | 0 |
+----+---------+--------+---------------------+------------------+--------------------------+-------+---------+-----------+----------+
1 row in set (0.00 sec)

mysql> select * from yubikeys;
+----+-----------+--------+---------------------+---------------------+----------+----------+--------------------------+---------+------+------+-------+
| id | client_id | active | created | accessed | tokenId | userId | secret | counter | low | high | notes |
+----+-----------+--------+---------------------+---------------------+----------+----------+--------------------------+---------+------+------+-------+
| 1 | 1 | 1 | 2007-10-03 16:11:50 | 2007-10-22 22:08:18 | YWJjZGVm | iU+jIRru | 7hX38lnjE4aW2O5MMY9NwA== | 0 | 0 | 0 | |
+----+-----------+--------+---------------------+---------------------+----------+----------+--------------------------+---------+------+------+-------+
1 row in set (0.00 sec)

mysql> select * from admin;
+----+-------+----------+--------------------------+---------------------+----------------+---------------------+--------+---------+
| id | keyid | note | pin | last_access | ip | creation | client | timeout |
+----+-------+----------+--------------------------+---------------------+----------------+---------------------+--------+---------+
| 1 | 1 | Root Key | OlEMemiArMptNPXxSlG1Nw== | 2008-08-07 21:27:51 | 192.168.200.20 | 2008-08-07 21:27:51 | 1 | 3600 |
+----+-------+----------+--------------------------+---------------------+----------------+---------------------+--------+---------+
1 row in set (0.00 sec)

which would all seem to be correct... any ideas? I've been looking at this for a few days now and am completely stumped.

Incidentally RBD, i believe you are supposed to base64 encode the aes secret key within the database, which you didn't seem to do in the posting above.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 14, 2009 2:46 pm 
Offline

Joined: Thu Jan 08, 2009 1:28 pm
Posts: 4
I have the same problem, after reprogramming the yubikey (on Linux), ykdebug gives OK but PHP validation server says "Bad CRC". Has anyone solved this?


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 16, 2009 10:08 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
The AES key in the database appears to match. But aren't the AES keys in the database supposed to be encrypted? I recall that the validation server internally encrypts/decrypts the database contents using a static AES key. The PHP google code project doesn't seem available right now so I can't check the source, but just an idea to let you move debug things further.

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 16, 2009 12:36 pm 
Offline

Joined: Thu Jan 08, 2009 1:28 pm
Posts: 4
I reprogrammed the yubikey with the new personalization tool for Windows using the same settings (afaik) that I used for the Linux personalization tool and now it works, so probably something I missed in the Linux version.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 16, 2009 2:06 pm 
Offline

Joined: Fri Jan 16, 2009 1:53 pm
Posts: 8
I have the same problem, however I do not use the php stuff, I use the wsapi.war file with tomcat, the self created key tests out fine with the sdk tool , but fails if you use the OTP server
In the documentation was mentioned the aes-field in the database is Base64 coded, is this correct ?

$ sdk/tool ecececececececececececececececec ececececececcdbtrcjudbcdukigjbvfudtifkjfrnin
warning: overlong token, ignoring prefix: ecececececec
Input:
token: cdbtrcjudbcdukigjbvfudtifkjfrnin
02 1d c0 8e 21 02 e9 75 81 f4 e2 d7 49 84 cb 7b
aeskey: ecececececececececececececececec
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
Output:
30 30 30 30 30 30 0b 00 e1 e8 ab 00 e2 94 a1 d4

Struct:
uid: 30 30 30 30 30 30
counter: 11 (0x000b)
timestamp (low): 59617 (0xe8e1)
timestamp (high): 171 (0xab)
session use: 0 (0x00)
random: 38114 (0x94e2)
crc: 54433 (0xd4a1)

Derived:
cleaned counter: 11 (0x000b)
modhex uid: ecececececec
triggered by caps lock: no
crc: F0B8
crc check: ok

http://10.x.x.x:8180/wsapi/verify?id=2& ... tifkjfrnin
h=waZsxFc9JQGqvT5i2f2c09j5F9g=
t=2009-01-16T15:02:24Z0453
status=BAD_OTP

Currently you seem to be unable to download stuff from http://code.google.com/p/yubikey-server-j/


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 16, 2009 6:40 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We would appreciate if you can provide us some logs and debugging information. This will help us to identify the exact cause and to provide a solution for it.


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 19, 2009 11:25 am 
Offline

Joined: Fri Jan 16, 2009 1:53 pm
Posts: 8
found the problem : there was a WARN in the catalina log :
2009-01-16 15:02:24,426 [http-8180-Processor24] WARN com.yubico.wsapi.Database - java.sql.SQLException: Value '0000-00-00' can not be represented as java.sql.Date
and after a
mysql> update yubikeys set accessed = '1970-01-01 00:00:00';
everything worked ...

h=57IAu98PWuhub7fcowqPGWVdRis=
t=2009-01-19T12:12:45Z0343
status=OK

The error reporting could be better here, I would expect a config error message in the response from the wsapi.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group