YubikeyU2F + Ubuntu1604 + VMware

I’m using privacyIDEA 2.17 installed on a virtual machine (under ESXi
5.5) running Ubuntu 16.04.

The software tokens work perfectly: connecting to a Cisco firewall using
AnyConnect and querying the privacy IDEA server using freeRADIUS.

Now, I wanted to try the hardware options. Cornelius has a nice video on
YouTube showing how to enroll a U2F USB key


My understanding is the privacyIDEA runs in this demonstration on a
physical laptop, i.e. NOT a virtual machine.

Here is my question: how do I accomplish the same with privacyIDEA running
virtual?
I believe the problem is passing the U2F key to the VM.

I di two things trying to accomplish this:

I can see the U2F key attached to the host. I can pass it to the VM.
But when trying to enroll the key - default realm, default resolver,
/etc/passwd account - I get a popup that says
*‘NoneType’ object has no attribute ‘strip’ *

Anybody tried this? Made it work? Any pointers.

Thanks.

I don’t think it’s required to pass the token to the server-VM.

I think it has to be done once, the first time, to get enrolled.
Later it can be un-assigned, re-assigned, etc.
And authentication will be performed by using any USB port on any
computer…

Can you look for the backtrace in /var/log/privacyidea.log? There should
be some hints where to look.

That error message is no more, after I followed Darren advice and pointed
the URL to the server…

But timeouts don’t go away…

diogenconsulting@gmail.com writes:

I can see the U2F key attached to the host. I can pass it to the VM.

I don’t think it’s required to pass the token to the server-VM.

But when trying to enroll the key - default realm, default resolver,
/etc/passwd account - I get a popup that says
*‘NoneType’ object has no attribute ‘strip’ *

Can you look for the backtrace in /var/log/privacyidea.log? There should
be some hints where to look.

Jochen–
This space is intentionally left blank.

OK.
After posting I saw the other U2F question posted (and answered) by Darren.

Same problem - error message - and how to fix it.

It does work in my case as well - the error message goes away.

BUT, the system ALWAYS times out, i.e. pressing the key (or re-plugging it)
is not detected by the VM.
Hence, the U2F Yubikey does not get enrolled…

Any comments?

Thanks.

Thanks, Cornelius.

RE:Enrollment
I must be missing something… The U2F Yubikey has to be in the list of
available tokens on the privacyIDEA server before it can be used.
Are you saying the browser (on the desktop, with the key attached) will
pass the required information and add the key to the database?

RE: AnyConnect & hardware keys
Are you saying that U2F - as a protocol - works only with browsers?
Or is it the limitation of the privacyIDEA server implementation of the
protocol?

I do have the exact same (by the looks of it) YubiKey shown in your video.
Bought at Amazon
https://www.amazon.ca/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8/ref=sr_1_sc_3?ie=UTF8&qid=1489587586&sr=8-3-spell&keywords=yobikey

Thanks again.On Wednesday, March 15, 2017 at 5:21:20 AM UTC-5, Cornelius Kölbel wrote:

U2F is supposed to work with your browser.
Thus: Do not connect it to the VM but to your local browser.

Don’t use U2F. It will not work with AnyConnect by design.
If you want to use hardware get a yubikey and use HOTP or Yubico Mode.

Kind regards
Cornelius

Am Dienstag, 14. März 2017 19:38:07 UTC+1 schrieb diogenco...@gmail.com
<javascript:>:

I don’t think it’s required to pass the token to the server-VM.

I think it has to be done once, the first time, to get enrolled.
Later it can be un-assigned, re-assigned, etc.
And authentication will be performed by using any USB port on any
computer…

Can you look for the backtrace in /var/log/privacyidea.log? There should
be some hints where to look.

That error message is no more, after I followed Darren advice and pointed
the URL to the server…

But timeouts don’t go away…

U2F is supposed to work with your browser.
Thus: Do not connect it to the VM but to your local browser.

Don’t use U2F. It will not work with AnyConnect by design.
If you want to use hardware get a yubikey and use HOTP or Yubico Mode.

Kind regards
Cornelius

diogenconsulting@gmail.com:Am Dienstag, 14. März 2017 19:38:07 UTC+1 schrieb

I don’t think it’s required to pass the token to the server-VM.

I think it has to be done once, the first time, to get enrolled.
Later it can be un-assigned, re-assigned, etc.
And authentication will be performed by using any USB port on any
computer…

Can you look for the backtrace in /var/log/privacyidea.log? There should
be some hints where to look.

That error message is no more, after I followed Darren advice and pointed
the URL to the server…

But timeouts don’t go away…

diogenconsulting@gmail.com:

Thanks, Cornelius.

RE:Enrollment
I must be missing something… The U2F Yubikey has to be in the list of
available tokens on the privacyIDEA server before it can be used.
Are you saying the browser (on the desktop, with the key attached) will
pass the required information and add the key to the database?

Yes.

RE: AnyConnect & hardware keys
Are you saying that U2F - as a protocol - works only with browsers?

Yes. It is designed for the web. I could run with other applications.
No Standard. Probably not anyconnect!

Or is it the limitation of the privacyIDEA server implementation of the
protocol?

No limitation of privacyIDEA.

Kind regards
CorneliusAm Mittwoch, 15. März 2017 15:20:36 UTC+1 schrieb

I do have the exact same (by the looks of it) YubiKey shown in your video.
Bought at Amazon

https://www.amazon.ca/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8/ref=sr_1_sc_3?ie=UTF8&qid=1489587586&sr=8-3-spell&keywords=yobikey

Thanks again.

On Wednesday, March 15, 2017 at 5:21:20 AM UTC-5, Cornelius Kölbel wrote:

U2F is supposed to work with your browser.
Thus: Do not connect it to the VM but to your local browser.

Don’t use U2F. It will not work with AnyConnect by design.
If you want to use hardware get a yubikey and use HOTP or Yubico Mode.

Kind regards
Cornelius

Am Dienstag, 14. März 2017 19:38:07 UTC+1 schrieb diogenco...@gmail.com:

I don’t think it’s required to pass the token to the server-VM.

I think it has to be done once, the first time, to get enrolled.
Later it can be un-assigned, re-assigned, etc.
And authentication will be performed by using any USB port on any
computer…

Can you look for the backtrace in /var/log/privacyidea.log? There
should
be some hints where to look.

That error message is no more, after I followed Darren advice and
pointed the URL to the server…

But timeouts don’t go away…

Thank you very much, Cornelius!

It worked!
No fiddling with the server side, just sitting at the desktop…

Too bad I can’t use it with AnyConnect, but TOTP software tokens will do
for now.
And will get other Yubikeys to try…

Thanks again.

{Can be closed}