How To Do Mass Enrolling Of Yubikey With LinOTP
Minggu, 07 April 2013
0
komentar
http://www.howtoforge.com/how-to-do-mass-enrolling-of-yubikey-with-linotp
The Yubikey comes shipped with a secret that can be used to authenticate against the Yubico online service. In many cases this it not acceptable since you wish to control your secret and the authentication process yourself.
The Yubikey also offers the possibility to work as an RFC compliant HOTP token. In a rollout process the secret HMAC key can be written to the Yubikey. To achieve this, Yubico also provides a python module.
LinOTP is a linux based open source authentication server, that supports many different OTP mechanisms like mOTP, TOTP, HOTP, OCRA, SMS, daily passwords and others. When initializing the Yubikey as an HOTP token, you can easily run the Yubikey with LinOTP.
Even since LinOTP 2.4.1 (current version at date of writing 2.5.0), which was already released in november 2011, LinOTP supports the mass enrolling of Yubikeys.
LinOTP is a python based web application. So you can install LinOTP from the scratch. All open source packages are published on the Pythen package index, so you can install LinOTP using preferred methods like easy_install or pip.
How to do this can be found here.
There are also deb-packages available either from the Homepage or from a repository. This shows you how to use the repository to easily install LinOTP. The latest packages in the repository where built with Ubuntu 12.04 LTS.
So now we assume you have installed your LinOTP server, set up your administrator and configured your userstore.
You can also install the admin client either using pip or the configured repository.
If you configured the repository installing the admin client is as easy as doing
Create a file /etc/udev/rules.d/70-yubikey-enrollment.rules:
Please enter password for 'admin':
Please insert the next yubikey and press enter (x=Exit):
{ u'status': True, u'value': True}
Please insert the next yubikey and press enter (x=Exit): x
You can insert as many Yubikeys as you like to and hit enter. When you are done enrolling all your Yubikeys, just enter 'x'.
linotpadm.py reads the serial number from the Yubikey and will put this token into the LinOTP token database with the serial YUBI123456 (according to the Yubikey serial number). Thus it is easy to identify, that this HOTP token in fact is a Yubikey.
The Yubikey serial number is printed on its back, so that you can now start assigning tokens to your users.
Happy Authenticating!
The Yubikey comes shipped with a secret that can be used to authenticate against the Yubico online service. In many cases this it not acceptable since you wish to control your secret and the authentication process yourself.
The Yubikey also offers the possibility to work as an RFC compliant HOTP token. In a rollout process the secret HMAC key can be written to the Yubikey. To achieve this, Yubico also provides a python module.
LinOTP is a linux based open source authentication server, that supports many different OTP mechanisms like mOTP, TOTP, HOTP, OCRA, SMS, daily passwords and others. When initializing the Yubikey as an HOTP token, you can easily run the Yubikey with LinOTP.
Even since LinOTP 2.4.1 (current version at date of writing 2.5.0), which was already released in november 2011, LinOTP supports the mass enrolling of Yubikeys.
Installing LinOTP server
There are different ways to install the LinOTP server.LinOTP is a python based web application. So you can install LinOTP from the scratch. All open source packages are published on the Pythen package index, so you can install LinOTP using preferred methods like easy_install or pip.
How to do this can be found here.
There are also deb-packages available either from the Homepage or from a repository. This shows you how to use the repository to easily install LinOTP. The latest packages in the repository where built with Ubuntu 12.04 LTS.
So now we assume you have installed your LinOTP server, set up your administrator and configured your userstore.
Install the LinOTP admin client
LinOTP also provides an open source admin client, which is a command line client. It has some limit abilities, but it also provides features which the Web UI does not.You can also install the admin client either using pip or the configured repository.
If you configured the repository installing the admin client is as easy as doing
apt-get install linotpadminclientce
If you used easy_install or pip, you can install the client from PyPI. pip install linotpadminclientce
Now you are done.Enrolling Yubikeys
USB access
Usually your normal user will not have access to write the HMAC key to the Yubikey. You could either run the linotpadm command as root (bad idea) or define a udev rule, so that your console user can access the Yubikey.Create a file /etc/udev/rules.d/70-yubikey-enrollment.rules:
vi /etc/udev/rules.d/70-yubikey-enrollment.rules
# Udev rules for letting the console user access the Yubikey USB(This was taken from yubikey-personalization.)
# device node, needed for challenge/response to work correctly.
ACTION=="add|change", SUBSYSTEM=="usb", \
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \
TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"
Enroll Yubikey
Now you can issue the command:% linotpadm.py -U https://localhost -a admin -C yubikey_mass_enroll
Which will give you the output:Please enter password for 'admin':
Please insert the next yubikey and press enter (x=Exit):
{ u'status': True, u'value': True}
Please insert the next yubikey and press enter (x=Exit): x
You can insert as many Yubikeys as you like to and hit enter. When you are done enrolling all your Yubikeys, just enter 'x'.
linotpadm.py reads the serial number from the Yubikey and will put this token into the LinOTP token database with the serial YUBI123456 (according to the Yubikey serial number). Thus it is easy to identify, that this HOTP token in fact is a Yubikey.
The Yubikey serial number is printed on its back, so that you can now start assigning tokens to your users.
Happy Authenticating!
TERIMA KASIH ATAS KUNJUNGAN SAUDARA
Judul: How To Do Mass Enrolling Of Yubikey With LinOTP
Ditulis oleh Unknown
Rating Blog 5 dari 5
Semoga artikel ini bermanfaat bagi saudara. Jika ingin mengutip, baik itu sebagian atau keseluruhan dari isi artikel ini harap menyertakan link dofollow ke http://androidjapane.blogspot.com/2013/04/how-to-do-mass-enrolling-of-yubikey.html. Terima kasih sudah singgah membaca artikel ini.Ditulis oleh Unknown
Rating Blog 5 dari 5
0 komentar:
Posting Komentar