function onStartLoginAction($action, $user)
{
$rawotp = $action->trimmed('otp');
//may want to parse later?
$otp = Auth_Yubico::parsePasswordOTP($rawotp);
if (!is_array($otp)) {
common_log(LOG_ERR, 'Yubikey:: Could not parse One Time Passcode.');
$action->showForm('Could not parse Yubikey One Time Passcode.');
return false;
}
$identity = $otp['prefix'];
$key = $otp['otp'];
common_log(LOG_DEBUG, 'User: '******' OTP: ' . $key . ', prefix: ' . $identity);
if (!User_yubikey::verifyYubikeyID($user->id, $identity)) {
common_log(LOG_DEBUG, 'Yubikey:: User: '******' does not have a Yubikey on record.');
// Return true because they dont have a yubikey associated and can continue
return true;
}
if ($this->_checkYubikeyOTP($key)) {
return true;
} else {
$action->showForm(_('Yubikey authentication failed.'));
return false;
}
}
function validate_otp ($otp)
{
$this->load->library('Auth_Yubico',array());
$yubico = new Auth_Yubico(config_item('auth_yubico_id'),config_item('auth_yubico_key'),true);
$response = $yubico->verify($otp);
if ($response === true)
{
// Break OTP Into Parts
$parts = $yubico->parsePasswordOTP($otp);
// Decode ModHex Prefix to YKID
return element('prefix',$parts);
}
else
{
$this->form_validation->set_message('validate_otp', 'Yubikey OTP is not valid. ('.$response->message.')');
return false;
}
}
function login_after($args)
{
if (!$this->is_enabled() || !$this->is_required()) {
return $args;
}
$otp = get_input_value('_yubikey', RCUBE_INPUT_POST);
$id = $this->get('yubikey_id');
$id2 = $this->get('yubikey_id2');
$id3 = $this->get('yubikey_id3');
$url = $this->get('yubikey_api_url');
$https = true;
if (!empty($url) && ($_url = parse_url($url))) {
if ($_url['scheme'] == "http") {
$https = false;
}
$urlpart = $_url['host'];
if (!empty($_url['port'])) {
$urlpart .= ':' . $_url['port'];
}
$urlpart .= $_url['path'];
}
// make sure that there is a YubiKey ID in the user's prefs
// and that it matches the first 12 characters of the OTP
if (empty($id) && empty($id2) && empty($id3)) {
$this->fail();
}
if (substr($otp, 0, 12) !== $id && substr($otp, 0, 12) !== $id2 && substr($otp, 0, 12) !== $id3) {
$this->fail();
} else {
try {
$yubi = new Auth_Yubico($this->get('yubikey_api_id'), $this->get('yubikey_api_key'), $https, true);
if (!empty($urlpart)) {
$yubi->addURLpart($urlpart);
}
$yubi->verify($otp);
} catch (Exception $e) {
$this->fail();
}
}
return $args;
}
/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the users attributes. On failure,
* it should throw an exception. If the error was caused by the user entering the wrong
* username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
*
* Note that both the username and the password are UTF-8 encoded.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
* @return array Associative array with the users attributes.
*/
protected function login($otp)
{
assert('is_string($otp)');
require_once dirname(dirname(dirname(dirname(__FILE__)))) . '/libextinc/Yubico.php';
$attributes = array();
try {
$yubi = new Auth_Yubico($this->yubi_id, $this->yubi_key);
$auth = $yubi->verify($otp);
$uid = self::getYubiKeyPrefix($otp);
$attributes = array('uid' => array($uid));
} catch (Exception $e) {
SimpleSAML\Logger::info('YubiKey:' . $this->authId . ': Validation error (otp ' . $otp . '), debug output: ' . $yubi->getLastResponse());
throw new SimpleSAML_Error_Error('WRONGUSERPASS', $e);
}
SimpleSAML\Logger::info('YubiKey:' . $this->authId . ': YubiKey otp ' . $otp . ' validated successfully: ' . $yubi->getLastResponse());
return $attributes;
}
<?php
## this example requires php-yubico: http://code.google.com/p/php-yubico/
require_once '/opt/Auth_Yubico-2.3/Yubico.php';
require_once './yubi_functions.php';
## configuration
$config = array('api_id' => '1', 'api_key' => '2l0alAfbbfG1R8Da77Ypig==', 'api_url' => 'localhost:88/cgi-bin/yubiverify2.0.tcl');
## create and configure Auth_Yubico class
$yubi = new Auth_Yubico($config['api_id'], $config['api_key']);
$yubi->setURLpart($config['api_url']);
$yubi->addURLpart($config['api_url']);
## get input from somewhere
$input = 'ehc.d.kndcyccpckkgygeninyjpjkuiceuiducggbdtp';
echo "input: {$input}\n";
## un-dvorak input
if (!($input = normalize_modhex($input))) {
die("cannot find keymap\n");
}
## check yubikey token aka public identity
if (($parsed_otp = $yubi->parsePasswordOTP($input)) === false) {
die("invalid OTP\n");
}
if ($parsed_otp['prefix'] != 'djiehevlhiti') {
## this check is usually done via database
die("invalid yubikey user\n");
}
## verify OTP
$verify = $yubi->verify($input, null, true);
echo "verify: {$verify}\n";
if (PEAR::isError($verify)) {
echo "==[ auth failed ]==\n" . $yubi->_response . "\n";
public function checkYubiPass($pass, $userStoredPass, $yubikey1, $yubikey2)
{
// yubikey generates 44 character, identity is the first 12 character
$yubi1_identity = substr($yubikey1, 0, 12);
$yubi2_identity = substr($yubikey2, 0, 12);
$pass_identity = substr($pass, -44, 12);
if ($pass_identity != $yubi1_identity and $pass_identity != $yubi2_identity) {
// YubiKey not listed in account
return false;
}
$yotp = substr($pass, -44);
$pass = substr($pass, 0, strlen($pass) - 44);
$yubi = new Auth_Yubico($this->yubico_client_id, $this->yubico_secret_key);
$auth = $yubi->verify($yotp);
return !PEAR::isError($auth) && AJXP_Utils::pbkdf2_validate_password($pass, $userStoredPass);
}
function validateYubikey ($otp)
{
if ($otp == 'override')
{
return true;
}
else
{
$this->load->library('Auth_Yubico',array());
$this->load->config('auth');
$yubico = new Auth_Yubico(config_item('auth_yubico_id'),config_item('auth_yubico_key'),true);
// Break OTP Into Parts
$parts = $yubico->parsePasswordOTP($otp);
// Decode ModHex Prefix to YKID
$ykid = element('prefix',$parts);
// Query DB for exsistence
// NOTE: Does not check if key has permissions currently.
$data = $this->db->limit(1)->get_where('auth_mf_yubikey',array('ykid'=>$ykid));
// Return False if Key Not Found
if ($data->num_rows() != 1)
{
$this->form_validation->set_message('validateYubikey', 'Yubikey not linked to user account.');
return false;
}
// If Key Found, Validate with Yubico
else
{
$response = $yubico->verify($otp);
if ($response === true)
{
$pid = $data->row()->pid;
$profile = $this->profile->get($pid);
if ($profile->exists() === true AND $profile->is_employee())
{
$this->acl->create_session($pid);
$this->event->log('auth_success',$pid);
return true;
}
elseif ($profile->exists() === true)
{
$this->form_validation->set_message('validateYubikey', $profile->name->full.' is not an employee.');
return false;
}
else
{
$this->form_validation->set_message('validateYubikey', 'Could not find profile. ('.$pid.')');
return false;
}
}
else
{
$this->form_validation->set_message('validateYubikey', 'Yubico declined key ('.$response->message.').');
$this->event->log('auth_failure_mf_yubikey',false,array('error'=>$response->message));
return false;
}
}
}
}
public function action_login()
{
$this->template->page_title = 'Anmelden';
$this->template->content = View::factory('user/login');
$this->template->content->state = $this->request->param('state');
if (Request::GET === $this->request->method()) {
}
if (Request::POST === $this->request->method()) {
$this->template->content->success = false;
// try to login
$username = $this->request->post('username');
$password = $this->request->post('password');
if (NULL === $username || NULL === $password) {
$this->request->redirect('/login/failed');
}
// redirect after...
if (TRUE === Auth::instance()->login($username, $password)) {
if (Auth::instance()->get_user()->locked) {
Auth::instance()->logout(true);
$this->redirect('/login/locked');
}
ORM::factory('Log')->log('login', 'user logged in: ' . $username);
Session::instance()->set('upw', $password);
// SECUUUURIIITTYYYYY ... )^o^(
$user = ORM::factory('User', Auth::instance()->get_user()->id);
if (!$user->private_key || !$user->public_key) {
// generate keypair
$rsa = new Crypt_RSA();
$keys = (object) $rsa->createKey(2048);
// encrypt keypair with users password
$encryption = Kohana_Encrypt::instance();
$encryption->_key = helper::pbkdf2($password, $this->encryption_config->key);
$keys->privatekey = $encryption->encode($keys->privatekey);
// save encrypted keypair
$user->private_key = $keys->privatekey;
$user->public_key = $keys->publickey;
$user->save();
}
if (Auth::instance()->get_user()->yubikey_identity && substr($this->request->post('yubikey_otp'), 0, 11) === Auth::instance()->get_user()->yubikey_identity) {
$yubico_config = (object) Kohana::$config->load('yubico.default');
$yubi = new Auth_Yubico($yubico_config->client_id, $yubico_config->secret_key);
$auth = $yubi->verify($this->request->post('yubikey_otp'));
if (PEAR::isError($auth)) {
Auth::instance()->logout(true);
ORM::factory('Log')->log('login', 'failed otp: ' . $username);
$this->redirect('/login/failed-otp');
} else {
ORM::factory('Log')->log('login', 'otp success: ' . $username);
$this->redirect('/dashboard');
}
} else {
$this->redirect('/dashboard');
}
} else {
ORM::factory('Log')->log('login_error', 'user could not login: '******'Login';
}
public function checkYubiOTP($otp_code, $yubikey1, $yubikey2)
{
// yubikey generates 44 character, identity is the first 12 character
$yubi1_identity = substr($yubikey1, 0, 12);
$yubi2_identity = substr($yubikey2, 0, 12);
$otp_identity = substr($otp_code, -44, 12);
if ($otp_identity != $yubi1_identity and $otp_identity != $yubi2_identity) {
// YubiKey not listed in account
return false;
}
$yotp = substr($otp_code, -44);
$otp_code = substr($otp_code, 0, strlen($otp_code) - 44);
$yubi = new Auth_Yubico($this->yubicoClientId, $this->yubicoSecretKey);
$auth = $yubi->verify($yotp);
return !PEAR::isError($auth);
}
$passwordkey = $password . ':' . $key;
}
# Convert passwordkey fields into password + key variables
if ($passwordkey) {
$ret = Auth_Yubico::parsePasswordOTP($passwordkey);
} else {
$ret = Auth_Yubico::parsePasswordOTP($key);
}
if (!$ret) {
$authenticated = 31;
return;
}
$identity = $ret['prefix'];
$key = $ret['otp'];
# Check OTP
$yubi = new Auth_Yubico($CFG[__CLIENT_ID__], $CFG[__CLIENT_KEY__]);
$auth = $yubi->verify($key);
if (PEAR::isError($auth)) {
$authenticated = 1;
return;
} else {
$authenticated = 0;
}
# Fetch realname
$dbconn = pg_connect($CFG[__PGDB__]) or error_log('Could not connect: ' . pg_last_error());
if (!$dbconn) {
$authenticated = 2;
return;
}
# Admin mode doesn't need realname or username/password-checking
if ($mode == "admin") {
print $otp;
?>
"></td>
</tr>
<tr>
<td colspan=2><input type=submit></td>
</tr>
</table>
</form>
<?php
require_once getcwd() . '/Yubico.php';
$yubi = new Auth_Yubico($id, $key, $https, $httpsverify);
if ($ask_url) {
$urls = explode(",", $url);
foreach ($urls as $u) {
$yubi->addURLpart($u);
}
}
$auth = $yubi->verify($otp, false, $wait_for_all, $sl, $timeout);
?>
<h2>Last Client Query</h2>
<pre>
<?php
print str_replace(" ", "\n", $yubi->getLastQuery() . " ");
?>
protected function action_yubikey()
{
$y = $_POST['yubikey'];
if (strlen($y) > 34) {
$identity = substr($y, 0, strlen($y) - 32);
$stmt = $this->db->query('select identity from
user where userid = :userid', array('userid' => $_SESSION['userid_pending']));
if (($row = $stmt->fetch()) && $row['identity'] == $identity) {
$yubi = new \Auth_Yubico(CLIENT_ID, CLIENT_KEY);
if ($yubi->verify($y) === true) {
if (!isset($_SESSION['expired'])) {
$security = new Security();
$security->store_verification($_SESSION['userid_pending'], true);
}
$this->is_verified();
return;
}
}
}
$this->show_form_yubikey();
$this->message('Invalid YubiKey OTP');
}
