Yubico Forum
https://forum.yubico.com/

Offline Authentication
https://forum.yubico.com/viewtopic.php?f=8&t=125
Page 1 of 1

Author:  firnsy [ Tue Jul 01, 2008 7:35 am ]
Post subject:  Offline Authentication

A few mates and I were planning to use the Yubikey to authenticate a network of ours on a locally administered server. However, the current PAM implementation still requires the web API to authenticate.

Our intention is to build a localised PAM implementation for the Yubikey and are curious if there is any interest for an authentication system that does not require access to the internet. Our intention is to have central administration for updating, managing and processing Yubikey's as soon as a Linux variant of the config tool is finalised.

If it works as expected we will most likely build a GINA version for NT/2000/XP variants.

Author:  Simon [ Tue Jul 01, 2008 11:27 am ]
Post subject:  Re: Offline Authentication

firnsy wrote:
A few mates and I were planning to use the Yubikey to authenticate a network of ours on a locally administered server. However, the current PAM implementation still requires the web API to authenticate.

Our intention is to build a localised PAM implementation for the Yubikey and are curious if there is any interest for an authentication system that does not require access to the internet. Our intention is to have central administration for updating, managing and processing Yubikey's as soon as a Linux variant of the config tool is finalised.

If it works as expected we will most likely build a GINA version for NT/2000/XP variants.


A variant of the PAM module to support local AES key lookups is a todo item, and I'll probably work on it relatively soon.

However, if you have several machines, you probably want to set up your local server instead of using api.yubico.com. Did you see our java server? There are also at least two PHP servers posted here on the forum, they should also work.

/Simon

Author:  firnsy [ Tue Jul 01, 2008 12:47 pm ]
Post subject:  Re: Offline Authentication

Simon wrote:
A variant of the PAM module to support local AES key lookups is a todo item, and I'll probably work on it relatively soon.

However, if you have several machines, you probably want to set up your local server instead of using api.yubico.com. Did you see our java server? There are also at least two PHP servers posted here on the forum, they should also work.

/Simon


Cool.

Yeah I've looked at every bit of available source to do with the Yubikey and they all provide excellent references. Our authentication requirements are from initial logon and require PAM compatibility so the Java server won't suffice in this situation.

The specs we would be looking at implementing are:
    1. minimalist database backend tracking public id, AES key
    2. per user settings tracking private id and previous logon times
    3. usb event actions on (detection yubikey insert and removal)
    4. adminstration tool for coding a yubikey whilst syncing with the user database

If there is an available linux config tool for testing we would be happy to assist.

Author:  Simon [ Wed Jul 02, 2008 2:55 pm ]
Post subject:  Re: Offline Authentication

firnsy wrote:
Simon wrote:
A variant of the PAM module to support local AES key lookups is a todo item, and I'll probably work on it relatively soon.

However, if you have several machines, you probably want to set up your local server instead of using api.yubico.com. Did you see our java server? There are also at least two PHP servers posted here on the forum, they should also work.

/Simon


Cool.

Yeah I've looked at every bit of available source to do with the Yubikey and they all provide excellent references. Our authentication requirements are from initial logon and require PAM compatibility so the Java server won't suffice in this situation.

The specs we would be looking at implementing are:
    1. minimalist database backend tracking public id, AES key
    2. per user settings tracking private id and previous logon times
    3. usb event actions on (detection yubikey insert and removal)
    4. adminstration tool for coding a yubikey whilst syncing with the user database

If there is an available linux config tool for testing we would be happy to assist.


I think the PAM module should be enhanced with AES-decryption capabilities, and a small database. That would solve your 1 and 2.

For 3, just check for the yubikey usb id's in the output from e.g. 'lsusb'.

Regarding 4, we have some Windows LibUSB based code to program a new AES key available:

http://code.google.com/p/yubico-usb-win32/

We haven't made the code public yet, so don't tell anyone. :)

It is possible to get this code running under linux, but for some reason in order to avoid problem with an exclusive lock from the 'usbhid' driver you will need to re-load the usb drivers if you want to program a new AES key:

Code:
rmmod usbhid && modprobe usbhid quirks=0x1050:0x0010:0x04


Either the code should be merged into 'yubico-c' or a separate project should be started, with some more linux-friendly makefiles and build scripts. There a few minor flaws in the published code, but you'll notice them for yourself.

Thanks,
Simon

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/