Yubikey Integration

We have a virtualized PrivacyIDEA server and I would like to use a Yubikey 5 NFC. I followed the guide here: https://netknights.it/en/privacyidea-enrollment-station-for-yubikey-and-nitrokey/ but then realized it won’t work because our server is virtualized and we don’t allow USB devices to our VMs. I then tried to setup U2F Enrollment by following the documentation here: https://privacyidea.readthedocs.io/en/latest/configuration/tokenconfig/u2f.html#u2f-otp-token but when I go to enroll a token, it displays an error when it wants me to push the token button or replug the toekn, saying Bad U2F Request / undefined

Any ideas on what I am doing wrong?

RE:U2F read this

RE:USB devices on VMs
You don’t allow all USB devices?
How do you use keyboard/mouse?
Yubikey 5 is in the same HID category…

Hi @wwalker,

I very much recommend to actually use the yubikey in OTP mode with privacyIDEA. This way you can initialiaze the seeds and you get a rather good hardware security with key material, that was actually generated by you.

It is totally fine that your privacyIDEA server runs on a VM - somewhere in the datacenter.
You do not need to connect the yubikey to the privacyIDEA server.
You need to connect the yubikey to your local machine running the privacyidea admin client. This client will generate the seed and put it on the yubikey and communicate with the privacyIDEA server (on some VM).

So you can actually install privacyideaadm on your local computer - maybe in a python virtualenv and use this to enroll your yubikeys and connect to the PI server via https.

To initialize the yubikey in OTP mode requires that I perform the initialization via the privacyidea admin client, correct?

Is there an admin client that can be run on a windows client?

Can the privacyidea admin client be run on a machine that doesn’t need to be retained? For example, if I spin up a linux box on my windows machine as a VM for the sole purpose of initializing yubikeys, can I just delete the VM without losing anything important?

Yes.

In theory you could run the admin client, which is a python script of a windows machine. But this is due to a different usb stack rather difficult.

No

Yes. You can delete it. Or keep of for later/further enrollments.

I think there’s a communication issue, because those two answers contradict each other. Does the machine that runs the privacyidea admin client need to be kept in order for keys initialized by it to continue to function?

You are right. That is a contradiction. At this time of day answering a lot of questions even with a negation is a bit difficult.

Ask yourself what actually happens during enrollment and what happens during authentication.

As I said before, the admin client generates the seed and writes it to the yubikey. Then the admin client communicates with the privacyIDEA server. In this case it generates a new token on the PI server. A new token alway contains the seed (that was just generated). You know that now all pieces are in place on the PI server.

I finally got it to work, though a lot of my difficulties were in getting a VM application to pass usb from the host to the guest, an issue well outside the scope of these forums. For those stumbling upon this, you have to use a type 2 hypervisor (So Microsoft Hyper-V is out). I got it to work using VMWare Workstation 15 Player. Under VM Settings, set the USB Controller to USB3, then connect the Yubico Ubikey... to the VM, not the Shared Yubico Yubikey...

A couple questions:
Why isn’t there a way to do what the privacyidea admin client does in the PrivacyIDEA admin web interface?

When I run privacyidea -U https://your.privacyidea.server --admin super token yubikey_mass_enroll, whoever the user is that I specify after --admin is who the key gets assigned to. Is it possible to enroll new keys without assigning them to a user?

As always, thanks for your help @cornelinux.

1 Like

Thanks a lot for the pointer wih the VM.

There is no easy, generic way to do this.

easy meaning, that it could be implementend in less than a week.

generic meaning, that it would run on “all” browsers.

The challenge is, that due to security reason a website should not access your computers resources. (This was several years ago). So there is no generic USB access or file access.

You may say, “but I can enroll U2F devices, which are actually USB devices”. Yes, but this is a special u2f interface that is implemented into the browser. “But the Alladdin TMS enrolled the etoken already ten years ago in the browser”. Yes, but this only runs in IE, with ActiveX and all the “browser security” switched off. “But I can enroll smartcards in the browser”. Yes, but this is no USB, this is either PKCS11 or MS CAPI with a well defined interface, that is implemented in the browsers.

Well, I would also think, that this would be a very convenient way. If you have any input or thoughts on this, these would be highly welcome. You may also open an issue at github, if you have an idea on that.

The privacyidea admin client simply uses the REST API. The word “admin” can be misleading. The client issues the request POST /token/init. If this request is issued by an admin, the token is not assigned to any user. If the request is issued by a normal user, it is assigned to the user, since a user may only manage his own tokens. So obviously your “admin” is no admin.

1 Like

For those stumbling upon this, you have to use a type 2 hypervisor (So Microsoft Hyper-V is out).

Not sure I understand this: we have multiple instances of privacyIdea running as a VM on ESXi, type 1 hypervisor.
It’s used to authenticate people connecting over AnyConnect… Using manually configured Yubikeys…

My comment is regarding the initial registration of yubikeys using the privacyidea admin client.