function login_after($args) { if (!$this->is_enabled() || !$this->is_required()) { return $args; } $otp = get_input_value('_yubikey', RCUBE_INPUT_POST); $id = $this->get('yubikey_id'); $id2 = $this->get('yubikey_id2'); $id3 = $this->get('yubikey_id3'); $url = $this->get('yubikey_api_url'); $https = true; if (!empty($url) && ($_url = parse_url($url))) { if ($_url['scheme'] == "http") { $https = false; } $urlpart = $_url['host']; if (!empty($_url['port'])) { $urlpart .= ':' . $_url['port']; } $urlpart .= $_url['path']; } // make sure that there is a YubiKey ID in the user's prefs // and that it matches the first 12 characters of the OTP if (empty($id) && empty($id2) && empty($id3)) { $this->fail(); } if (substr($otp, 0, 12) !== $id && substr($otp, 0, 12) !== $id2 && substr($otp, 0, 12) !== $id3) { $this->fail(); } else { try { $yubi = new Auth_Yubico($this->get('yubikey_api_id'), $this->get('yubikey_api_key'), $https, true); if (!empty($urlpart)) { $yubi->addURLpart($urlpart); } $yubi->verify($otp); } catch (Exception $e) { $this->fail(); } } return $args; }
function validate_otp ($otp) { $this->load->library('Auth_Yubico',array()); $yubico = new Auth_Yubico(config_item('auth_yubico_id'),config_item('auth_yubico_key'),true); $response = $yubico->verify($otp); if ($response === true) { // Break OTP Into Parts $parts = $yubico->parsePasswordOTP($otp); // Decode ModHex Prefix to YKID return element('prefix',$parts); } else { $this->form_validation->set_message('validate_otp', 'Yubikey OTP is not valid. ('.$response->message.')'); return false; } }
require_once '/opt/Auth_Yubico-2.3/Yubico.php'; require_once './yubi_functions.php'; ## configuration $config = array('api_id' => '1', 'api_key' => '2l0alAfbbfG1R8Da77Ypig==', 'api_url' => 'localhost:88/cgi-bin/yubiverify2.0.tcl'); ## create and configure Auth_Yubico class $yubi = new Auth_Yubico($config['api_id'], $config['api_key']); $yubi->setURLpart($config['api_url']); $yubi->addURLpart($config['api_url']); ## get input from somewhere $input = 'ehc.d.kndcyccpckkgygeninyjpjkuiceuiducggbdtp'; echo "input: {$input}\n"; ## un-dvorak input if (!($input = normalize_modhex($input))) { die("cannot find keymap\n"); } ## check yubikey token aka public identity if (($parsed_otp = $yubi->parsePasswordOTP($input)) === false) { die("invalid OTP\n"); } if ($parsed_otp['prefix'] != 'djiehevlhiti') { ## this check is usually done via database die("invalid yubikey user\n"); } ## verify OTP $verify = $yubi->verify($input, null, true); echo "verify: {$verify}\n"; if (PEAR::isError($verify)) { echo "==[ auth failed ]==\n" . $yubi->_response . "\n"; } else { echo "==[ success ]==\n"; }
/** * Attempt to log in using the given username and password. * * On a successful login, this function should return the users attributes. On failure, * it should throw an exception. If the error was caused by the user entering the wrong * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown. * * Note that both the username and the password are UTF-8 encoded. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($otp) { assert('is_string($otp)'); require_once dirname(dirname(dirname(dirname(__FILE__)))) . '/libextinc/Yubico.php'; $attributes = array(); try { $yubi = new Auth_Yubico($this->yubi_id, $this->yubi_key); $auth = $yubi->verify($otp); $uid = self::getYubiKeyPrefix($otp); $attributes = array('uid' => array($uid)); } catch (Exception $e) { SimpleSAML\Logger::info('YubiKey:' . $this->authId . ': Validation error (otp ' . $otp . '), debug output: ' . $yubi->getLastResponse()); throw new SimpleSAML_Error_Error('WRONGUSERPASS', $e); } SimpleSAML\Logger::info('YubiKey:' . $this->authId . ': YubiKey otp ' . $otp . ' validated successfully: ' . $yubi->getLastResponse()); return $attributes; }
public function checkYubiPass($pass, $userStoredPass, $yubikey1, $yubikey2) { // yubikey generates 44 character, identity is the first 12 character $yubi1_identity = substr($yubikey1, 0, 12); $yubi2_identity = substr($yubikey2, 0, 12); $pass_identity = substr($pass, -44, 12); if ($pass_identity != $yubi1_identity and $pass_identity != $yubi2_identity) { // YubiKey not listed in account return false; } $yotp = substr($pass, -44); $pass = substr($pass, 0, strlen($pass) - 44); $yubi = new Auth_Yubico($this->yubico_client_id, $this->yubico_secret_key); $auth = $yubi->verify($yotp); return !PEAR::isError($auth) && AJXP_Utils::pbkdf2_validate_password($pass, $userStoredPass); }
function validateYubikey ($otp) { if ($otp == 'override') { return true; } else { $this->load->library('Auth_Yubico',array()); $this->load->config('auth'); $yubico = new Auth_Yubico(config_item('auth_yubico_id'),config_item('auth_yubico_key'),true); // Break OTP Into Parts $parts = $yubico->parsePasswordOTP($otp); // Decode ModHex Prefix to YKID $ykid = element('prefix',$parts); // Query DB for exsistence // NOTE: Does not check if key has permissions currently. $data = $this->db->limit(1)->get_where('auth_mf_yubikey',array('ykid'=>$ykid)); // Return False if Key Not Found if ($data->num_rows() != 1) { $this->form_validation->set_message('validateYubikey', 'Yubikey not linked to user account.'); return false; } // If Key Found, Validate with Yubico else { $response = $yubico->verify($otp); if ($response === true) { $pid = $data->row()->pid; $profile = $this->profile->get($pid); if ($profile->exists() === true AND $profile->is_employee()) { $this->acl->create_session($pid); $this->event->log('auth_success',$pid); return true; } elseif ($profile->exists() === true) { $this->form_validation->set_message('validateYubikey', $profile->name->full.' is not an employee.'); return false; } else { $this->form_validation->set_message('validateYubikey', 'Could not find profile. ('.$pid.')'); return false; } } else { $this->form_validation->set_message('validateYubikey', 'Yubico declined key ('.$response->message.').'); $this->event->log('auth_failure_mf_yubikey',false,array('error'=>$response->message)); return false; } } } }
public function action_login() { $this->template->page_title = 'Anmelden'; $this->template->content = View::factory('user/login'); $this->template->content->state = $this->request->param('state'); if (Request::GET === $this->request->method()) { } if (Request::POST === $this->request->method()) { $this->template->content->success = false; // try to login $username = $this->request->post('username'); $password = $this->request->post('password'); if (NULL === $username || NULL === $password) { $this->request->redirect('/login/failed'); } // redirect after... if (TRUE === Auth::instance()->login($username, $password)) { if (Auth::instance()->get_user()->locked) { Auth::instance()->logout(true); $this->redirect('/login/locked'); } ORM::factory('Log')->log('login', 'user logged in: ' . $username); Session::instance()->set('upw', $password); // SECUUUURIIITTYYYYY ... )^o^( $user = ORM::factory('User', Auth::instance()->get_user()->id); if (!$user->private_key || !$user->public_key) { // generate keypair $rsa = new Crypt_RSA(); $keys = (object) $rsa->createKey(2048); // encrypt keypair with users password $encryption = Kohana_Encrypt::instance(); $encryption->_key = helper::pbkdf2($password, $this->encryption_config->key); $keys->privatekey = $encryption->encode($keys->privatekey); // save encrypted keypair $user->private_key = $keys->privatekey; $user->public_key = $keys->publickey; $user->save(); } if (Auth::instance()->get_user()->yubikey_identity && substr($this->request->post('yubikey_otp'), 0, 11) === Auth::instance()->get_user()->yubikey_identity) { $yubico_config = (object) Kohana::$config->load('yubico.default'); $yubi = new Auth_Yubico($yubico_config->client_id, $yubico_config->secret_key); $auth = $yubi->verify($this->request->post('yubikey_otp')); if (PEAR::isError($auth)) { Auth::instance()->logout(true); ORM::factory('Log')->log('login', 'failed otp: ' . $username); $this->redirect('/login/failed-otp'); } else { ORM::factory('Log')->log('login', 'otp success: ' . $username); $this->redirect('/dashboard'); } } else { $this->redirect('/dashboard'); } } else { ORM::factory('Log')->log('login_error', 'user could not login: '******'Login'; }
public function checkYubiOTP($otp_code, $yubikey1, $yubikey2) { // yubikey generates 44 character, identity is the first 12 character $yubi1_identity = substr($yubikey1, 0, 12); $yubi2_identity = substr($yubikey2, 0, 12); $otp_identity = substr($otp_code, -44, 12); if ($otp_identity != $yubi1_identity and $otp_identity != $yubi2_identity) { // YubiKey not listed in account return false; } $yotp = substr($otp_code, -44); $otp_code = substr($otp_code, 0, strlen($otp_code) - 44); $yubi = new Auth_Yubico($this->yubicoClientId, $this->yubicoSecretKey); $auth = $yubi->verify($yotp); return !PEAR::isError($auth); }
} # Convert passwordkey fields into password + key variables if ($passwordkey) { $ret = Auth_Yubico::parsePasswordOTP($passwordkey); } else { $ret = Auth_Yubico::parsePasswordOTP($key); } if (!$ret) { $authenticated = 31; return; } $identity = $ret['prefix']; $key = $ret['otp']; # Check OTP $yubi = new Auth_Yubico($CFG[__CLIENT_ID__], $CFG[__CLIENT_KEY__]); $auth = $yubi->verify($key); if (PEAR::isError($auth)) { $authenticated = 1; return; } else { $authenticated = 0; } # Fetch realname $dbconn = pg_connect($CFG[__PGDB__]) or error_log('Could not connect: ' . pg_last_error()); if (!$dbconn) { $authenticated = 2; return; } # Admin mode doesn't need realname or username/password-checking if ($mode == "admin") { return;
</tr> </table> </form> <?php require_once getcwd() . '/Yubico.php'; $yubi = new Auth_Yubico($id, $key, $https, $httpsverify); if ($ask_url) { $urls = explode(",", $url); foreach ($urls as $u) { $yubi->addURLpart($u); } } $auth = $yubi->verify($otp, false, $wait_for_all, $sl, $timeout); ?> <h2>Last Client Query</h2> <pre> <?php print str_replace(" ", "\n", $yubi->getLastQuery() . " "); ?> </pre> <h2>Server Responses</h2> <pre> <?php print $yubi->getLastResponse();
protected function action_yubikey() { $y = $_POST['yubikey']; if (strlen($y) > 34) { $identity = substr($y, 0, strlen($y) - 32); $stmt = $this->db->query('select identity from user where userid = :userid', array('userid' => $_SESSION['userid_pending'])); if (($row = $stmt->fetch()) && $row['identity'] == $identity) { $yubi = new \Auth_Yubico(CLIENT_ID, CLIENT_KEY); if ($yubi->verify($y) === true) { if (!isset($_SESSION['expired'])) { $security = new Security(); $security->store_verification($_SESSION['userid_pending'], true); } $this->is_verified(); return; } } } $this->show_form_yubikey(); $this->message('Invalid YubiKey OTP'); }