function onStartLoginAction($action, $user) { $rawotp = $action->trimmed('otp'); //may want to parse later? $otp = Auth_Yubico::parsePasswordOTP($rawotp); if (!is_array($otp)) { common_log(LOG_ERR, 'Yubikey:: Could not parse One Time Passcode.'); $action->showForm('Could not parse Yubikey One Time Passcode.'); return false; } $identity = $otp['prefix']; $key = $otp['otp']; common_log(LOG_DEBUG, 'User: '******' OTP: ' . $key . ', prefix: ' . $identity); if (!User_yubikey::verifyYubikeyID($user->id, $identity)) { common_log(LOG_DEBUG, 'Yubikey:: User: '******' does not have a Yubikey on record.'); // Return true because they dont have a yubikey associated and can continue return true; } if ($this->_checkYubikeyOTP($key)) { return true; } else { $action->showForm(_('Yubikey authentication failed.')); return false; } }
function validate_otp ($otp) { $this->load->library('Auth_Yubico',array()); $yubico = new Auth_Yubico(config_item('auth_yubico_id'),config_item('auth_yubico_key'),true); $response = $yubico->verify($otp); if ($response === true) { // Break OTP Into Parts $parts = $yubico->parsePasswordOTP($otp); // Decode ModHex Prefix to YKID return element('prefix',$parts); } else { $this->form_validation->set_message('validate_otp', 'Yubikey OTP is not valid. ('.$response->message.')'); return false; } }
require_once '/opt/Auth_Yubico-2.3/Yubico.php'; require_once './yubi_functions.php'; ## configuration $config = array('api_id' => '1', 'api_key' => '2l0alAfbbfG1R8Da77Ypig==', 'api_url' => 'localhost:88/cgi-bin/yubiverify2.0.tcl'); ## create and configure Auth_Yubico class $yubi = new Auth_Yubico($config['api_id'], $config['api_key']); $yubi->setURLpart($config['api_url']); $yubi->addURLpart($config['api_url']); ## get input from somewhere $input = 'ehc.d.kndcyccpckkgygeninyjpjkuiceuiducggbdtp'; echo "input: {$input}\n"; ## un-dvorak input if (!($input = normalize_modhex($input))) { die("cannot find keymap\n"); } ## check yubikey token aka public identity if (($parsed_otp = $yubi->parsePasswordOTP($input)) === false) { die("invalid OTP\n"); } if ($parsed_otp['prefix'] != 'djiehevlhiti') { ## this check is usually done via database die("invalid yubikey user\n"); } ## verify OTP $verify = $yubi->verify($input, null, true); echo "verify: {$verify}\n"; if (PEAR::isError($verify)) { echo "==[ auth failed ]==\n" . $yubi->_response . "\n"; } else { echo "==[ success ]==\n"; }
function validateYubikey ($otp) { if ($otp == 'override') { return true; } else { $this->load->library('Auth_Yubico',array()); $this->load->config('auth'); $yubico = new Auth_Yubico(config_item('auth_yubico_id'),config_item('auth_yubico_key'),true); // Break OTP Into Parts $parts = $yubico->parsePasswordOTP($otp); // Decode ModHex Prefix to YKID $ykid = element('prefix',$parts); // Query DB for exsistence // NOTE: Does not check if key has permissions currently. $data = $this->db->limit(1)->get_where('auth_mf_yubikey',array('ykid'=>$ykid)); // Return False if Key Not Found if ($data->num_rows() != 1) { $this->form_validation->set_message('validateYubikey', 'Yubikey not linked to user account.'); return false; } // If Key Found, Validate with Yubico else { $response = $yubico->verify($otp); if ($response === true) { $pid = $data->row()->pid; $profile = $this->profile->get($pid); if ($profile->exists() === true AND $profile->is_employee()) { $this->acl->create_session($pid); $this->event->log('auth_success',$pid); return true; } elseif ($profile->exists() === true) { $this->form_validation->set_message('validateYubikey', $profile->name->full.' is not an employee.'); return false; } else { $this->form_validation->set_message('validateYubikey', 'Could not find profile. ('.$pid.')'); return false; } } else { $this->form_validation->set_message('validateYubikey', 'Yubico declined key ('.$response->message.').'); $this->event->log('auth_failure_mf_yubikey',false,array('error'=>$response->message)); return false; } } } }
$key = $_REQUEST["key"]; $passwordkey = $_REQUEST["passwordkey"]; # Quit early on no input if (!$key && !$passwordkey) { $authenticated = -1; return; } # Prepare passwordkey using password and key variables if ($password && $key && !$passwordkey) { $passwordkey = $password . ':' . $key; } # Convert passwordkey fields into password + key variables if ($passwordkey) { $ret = Auth_Yubico::parsePasswordOTP($passwordkey); } else { $ret = Auth_Yubico::parsePasswordOTP($key); } if (!$ret) { $authenticated = 31; return; } $identity = $ret['prefix']; $key = $ret['otp']; # Check OTP $yubi = new Auth_Yubico($CFG[__CLIENT_ID__], $CFG[__CLIENT_KEY__]); $auth = $yubi->verify($key); if (PEAR::isError($auth)) { $authenticated = 1; return; } else { $authenticated = 0;