Yubikey NEO + Ubuntu1604 + VMware

diogenconsulting · June 11, 2017, 12:44am

I asked a similar question before

but was managing with software OTP tokens just fine… Until now, that is.

I can’t figure out how to make the Yubikey NEO work as OTP with privacyIDEA.

I follow the manual…
Start with downloading the Yubico Personalization Tool (on Windows) and configure Slot 2.
Essentially, generate 3 hex numbers - 6, 6 and 16 bytes long.
Called Public Identity, Private Identity and Secret Key, respectively…Write them onto the key…

Then point the browser to the server, pick a user and assign a new token to him.
Select Yubikey AES mode as the type of the token, push the NEO button to populate the first field.
After that I’m told the OTP length is 44 characters and I enter the second and third generated keys in the OTP Key field… Unless those are the right keys (stripped spaces) the Enroll Token on the bottom of the page stays grayed out…

All good so far… I have a new token assigned to a new user.
Now I click the new Yubikey token to test it, “Test OTP only”. And it does NOT work…
The popup message says “AES key must be either 16, 24, or 32 bytes long”…

The first question I have:
All manuals tell me the Yubikey OTP is 44 characters long, aka 22 bytes (6+16).
Why is privacyIDEA expecting an AES key of a different length?

Since this is a virtual machine (with no internet access) I had troubles passing USB to it.
And that means I can’t use the (recommended) command line personalization tool…

I must be missing something, plain and simple… but can’t figure it out.

Anybody has any pointers?

Thanks.

diogenconsulting · June 11, 2017, 1:26am

Writing things down sometimes helps…
I think I understand it better but it still does NOT work.

When pressed, the NEO generates a 44-character long key.
The first 12 characters (6 bytes) are actually the Public Identity.
So, I keep the check-mark in the emit UID box (meaning the 12 characters get attached in front of the secret key.

Now I just put the secret key - last generated, 32 characters long - in the OTP Key field (16 bytes, AES compliant).
This is enough for the token to be allowed to enroll… Private Identity key is not used…

It does make sense. But still an error when testing. This time the message says “OTP verification failed”…

Jochen_Hein · June 11, 2017, 4:06am

I too had trouble enrolling a manually (with the personalization tool) configured yubikey into privacyidea.

I suggest using the privacyidea admin cli on your laptop/workstation. No need to get USB
to you VM…

$ privacyidea token yubikey_mass_enroll --help
usage: privacyidea token yubikey_mass_enroll [-h] [--yubiprefix YUBIPREFIX]
                                             [--yubiprefixrandom NUMBER]
                                             [--yubiprefixserial]
                                             [--yubimode {OATH,YUBICO,STATIC}]
                                             [--filename FILENAME]
                                             [--yubislot {1,2}] [--yubiCR]
                                             [--description DESCRIPTION]
                                             [--access ACCESS]
                                             [--newaccess NEWACCESS]

Something like that should work:

privacyidea token yubikey_mass_enroll --yubislot=2 --yubimode=YUBUCO --yubiprefix=6

Another (probably easier) thing to check is what the yubikey sends - slot 1 or slot 2?
Open a Terminal or an editor, press the key like you did when checking in privacyidea.

Locally programmed token should sent a prefix starting with “vv”, if slot 1 is still factory
programmed the prefix is “cc”. You should be able to get the keys from Yubico, if you
want to use the factory programmed token in privacyidea, but I’s suggest to just
reprogram slot 1.

On my Yubikey I have:

yubico token self programmed with privacyidea, authenticates against my local server
Challenge Response (used with keepass and pam)

cornelinux · June 11, 2017, 7:40pm

I follow the manual…

Can you please provide a link, so that we can improve this very part of the manual?
Thanks a lot
Cornelius

foot3print · June 12, 2017, 6:04am

Hi,

i also tested this with a yubikey Neo with NO problems. After initializing your yubikey with ykpersonalize, you will have an output of your pub id, private id, and aes key(otp secret). The one you should enter in the ‘OTP’ field in the enrollment page using the WebUI is the AES key. Its the longest one 32 hex. You can even leave the other values empty. After enrollment, test your OTP using the test box with OTP only. Or you could use the command privacyidea token yubikey_mass_enroll as stated from above comment. The only thing i noticed using the command in my case is that it only accepts admin accounts created with the pi-manage admin command. But thats another story.

For the docs/html:
Maybe it would help if the placeholder would be something like ‘Enter your AES (yubikey otp secret key) here’ or something? ^.^

PS. Also tried this in xenial with 2.18.1 and 2.19

Regards,

cornelinux · June 12, 2017, 3:00pm

Can you please provide a link to the manual you used, so that we can improve it?
On the other hand you are also welcome to issue a pull request.

Thanks a lot.

foot3print · June 13, 2017, 7:58am

@cornelinux

http://privacyidea.readthedocs.io/en/latest/configuration/tokens/yubikey.html

Would it be helpful if the label ‘OTP key’ with the placeholder ‘Enter OTP key…’ be replaced with something else? But this would also mean a change in the html. If this is ok with you:

Shared Secret (AES Key)

Or just the docs?

Regards,

cornelinux · June 13, 2017, 10:32am

Which 32 byte generated characters did you pass as OTP key?

Of course you must not enter this what the yubikey outputs as otpkey. But you need to enter that, what the yubikey-personalizatoin-gui generated at “secret key”!

cornelinux · June 13, 2017, 10:52am

Hi @diogenconsulting, @foot3print

I just pushed a bit more documentation, so it might be clearer.
I think here are some confusions between the OTP value, that the yubikey emits (44 chars) and the OTP secret aka OTP key, which is 32 chars (16 bytes).

github.com

privacyidea/privacyidea/blob/master/doc/configuration/tokens/yubikey.rst

.. _yubikey:

Yubikey
-------

.. index:: Yubikey, Yubico AES mode

The Yubikey is initialized with privacyIDEA and works in Yubicos own AES mode.
It outputs a 44 character OTP value, consisting of a 12 character prefix and
a 32 character OTP. But in contrast to the :ref:`yubico` Cloud
mode, in this mode the secret key is contained within the token and your own
privacyIDEA installation.

If you have the time and care about privacy, you should prefer the
Yubikey AES mode over the :ref:`yubico` Cloud mode.

There are three possible ways to enroll a Yubikey token. 

.. note:: We recommend that you use the ``privacyidea`` command line
   client, to initialize the Yubikeys. You can use the mass enrollment, which

This file has been truncated. show original

Hope this helps.

Thanks a lot for bringing this up.
Kind regards
Cornelius