I asked a similar question before
but was managing with software OTP tokens just fine… Until now, that is.
I can’t figure out how to make the Yubikey NEO work as OTP with privacyIDEA.
I follow the manual…
Start with downloading the Yubico Personalization Tool (on Windows) and configure Slot 2.
Essentially, generate 3 hex numbers - 6, 6 and 16 bytes long.
Called Public Identity, Private Identity and Secret Key, respectively…Write them onto the key…
Then point the browser to the server, pick a user and assign a new token to him.
Select Yubikey AES mode as the type of the token, push the NEO button to populate the first field.
After that I’m told the OTP length is 44 characters and I enter the second and third generated keys in the OTP Key field… Unless those are the right keys (stripped spaces) the Enroll Token on the bottom of the page stays grayed out…
All good so far… I have a new token assigned to a new user.
Now I click the new Yubikey token to test it, “Test OTP only”. And it does NOT work…
The popup message says “AES key must be either 16, 24, or 32 bytes long”…
The first question I have:
All manuals tell me the Yubikey OTP is 44 characters long, aka 22 bytes (6+16).
Why is privacyIDEA expecting an AES key of a different length?
Since this is a virtual machine (with no internet access) I had troubles passing USB to it.
And that means I can’t use the (recommended) command line personalization tool…
I must be missing something, plain and simple… but can’t figure it out.
Anybody has any pointers?