YubikeyU2F + Ubuntu1604 + VMware

[diogenco...@gmail.com]

I'm using privacyIDEA 2.17 installed on a virtual machine (under ESXi 5.5) running Ubuntu 16.04.

The software tokens work perfectly: connecting to a Cisco firewall using AnyConnect and querying the privacy IDEA server using freeRADIUS.

Now, I wanted to try the hardware options. Cornelius has a nice video on YouTube showing how to enroll a U2F USB key

https://www.youtube.com/watch?v=0VKFGSAlL80

My understanding is the privacyIDEA runs in this demonstration on a physical laptop, i.e. NOT a virtual machine.

Here is my question: how do I accomplish the same with privacyIDEA running virtual?

I believe the problem is passing the U2F key to the VM.

I di two things trying to accomplish this:

- installed the 70-u2f.rules file

https://www.yubico.com/support/knowledge-base/categories/articles/can-set-linux-system-use-u2f/

- edited the VMX file of the VM adding usb.generic.allowHID = "TRUE" at the end.

I can see the U2F key attached to the host. I can pass it to the VM.

But when trying to enroll the key - default realm, default resolver, /etc/passwd account - I get a popup that says

'NoneType' object has no attribute 'strip' 

Anybody tried this? Made it work? Any pointers.

Thanks.

[diogenco...@gmail.com]

OK.

After posting I saw the other U2F question posted (and answered) by Darren.

Same problem - error message - and how to fix it.

It does work in my case as well - the error message goes away.

BUT, the system ALWAYS times out, i.e. pressing the key (or re-plugging it) is not detected by the VM.

Hence, the U2F Yubikey does not get enrolled...

Any comments?

Thanks.

[Jochen Hein]

diogenco...@gmail.com writes:

> I can see the U2F key attached to the host. I can pass it to the VM.

I don't think it's required to pass the token to the server-VM.

> But when trying to enroll the key - default realm, default resolver,
> /etc/passwd account - I get a popup that says

> *'NoneType' object has no attribute 'strip' *

Can you look for the backtrace in /var/log/privacyidea.log? There should
be some hints where to look.

Jochen

--
This space is intentionally left blank.

[diogenco...@gmail.com]

I don't think it's required to pass the token to the server-VM.

I think it has to be done once, the first time, to get enrolled.

Later it can be un-assigned, re-assigned, etc.

And authentication will be performed by using any USB port on any computer... 

 

Can you look for the backtrace in /var/log/privacyidea.log? There should
be some hints where to look.

That error message is no more, after I followed Darren advice and pointed the URL to the server...

But timeouts don't go away...

[Cornelius Kölbel]

U2F is supposed to work with your browser.

Thus: Do not connect it to the VM but to your local browser.

Don't use U2F. It will not work with AnyConnect by design.

If you want to use hardware get a yubikey and use HOTP or Yubico Mode.

Kind regards

Cornelius

[diogenco...@gmail.com]

Thanks, Cornelius.

RE:Enrollment 

I must be missing something... The U2F Yubikey has to be in the list of available tokens on the privacyIDEA server before it can be used.

Are you saying the browser (on the desktop, with the key attached) will pass the required information and add the key to the database?

RE: AnyConnect & hardware keys

Are you saying that U2F - as a protocol - works only with browsers?

Or is it the limitation of the privacyIDEA server implementation of the protocol?

I do have the exact same (by the looks of it) YubiKey shown in your video. Bought at Amazon

https://www.amazon.ca/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8/ref=sr_1_sc_3?ie=UTF8&qid=1489587586&sr=8-3-spell&keywords=yobikey

Thanks again.

[Cornelius Kölbel]

Am Mittwoch, 15. März 2017 15:20:36 UTC+1 schrieb diogenco...@gmail.com:

Thanks, Cornelius.

RE:Enrollment 

I must be missing something... The U2F Yubikey has to be in the list of available tokens on the privacyIDEA server before it can be used.

Are you saying the browser (on the desktop, with the key attached) will pass the required information and add the key to the database?

Yes.

 

RE: AnyConnect & hardware keys

Are you saying that U2F - as a protocol - works only with browsers?

Yes. It is designed for the web. I **could** run with other applications. No Standard. Probably not anyconnect!

 

Or is it the limitation of the privacyIDEA server implementation of the protocol?

No limitation of privacyIDEA. 

Kind regards

Cornelius

[diogenco...@gmail.com]

Thank you very much, Cornelius!

It worked!

No fiddling with the server side, just sitting at the desktop...

Too bad I can't use it with AnyConnect, but TOTP software tokens will do for now.

And will get other Yubikeys to try...

Thanks again.

{Can be closed}