Yubikey Configuration

[NewUsr]

I am trying to configure OpenOTP with Yubikey (v2.2) without success. I see that my default Yubikey OTP is 44 characters and the only way I seem to be able to complete registration is by using first 32 characters (manually delete the last 12 characters). Even after that test login fails (Yubikey Private ID and Token should be stored as Base64, not Hex; right?)

Am I supposed to configure Yubikeys with their configuration tool to ensure its OTP is compatible with OpenOTP ?

Please help, as I could not find any documentation regarding this on either Yubico or RCDEVS sites.

[Administrators]

In the 44 hex chars you have a secret key and a private ID.
Yubikey secret is 32 hex chars (16 bytes) and the private ID is 12 hex
chars (6 bytes).

You need both information to register the Yubikey in OpenOTP.

In the OpenOTP Token registration form, you choose Yubikey as Token
Type.
You enter the 32 hex chars secret in the Token Key. And you enter the
12 hex chars in the Private ID.
You Yubikey setup software should provide indications on what is the
private ID part of the 44 hex chars.

[NewUsr]

Thank you for your quick response.

I can successfully register the Yubikey as per your suggested method, but "Test user Login" does not authenticate using Yubikey 44 character OTP password.

I changed the Login Mode to LDAP and it successfully authenticated the user. However, OTP mode does not work (Result:Failure, Message:Invalid username or password)

[NewUsr]

Can you please reconfirm that:

1. Yubikey works out-of-the-box with OpenOTP server without any need for configuration (using tools provided by Yubico)

2. "Hex" needs to be selected in registration form and not "Base32" or "Base64"

[Administrators]

- Registration is Hex.
- OpenOTP needs to receive Yubikey OTP of 32 hex chars long. If your
yubikey generates 44 chars OTPs, it's because it prepends the OTP with
an identity ID. Maybe you need to configure the Yubikey not to send
the identity with the OTP.

I'll see if we can put a feature in the next OpenOTP release to
truncate the prepending extra chars from the OTP if longer then 32...

[Administrators]

After checking, OpenOTP currently truncated the prepending public Id
already. That should work out-of-the-box.
What do you see in /opt/webadm/logs/soapd.log?

[NewUsr]

It seems the new version of Yubikey by default sends a very different OTP compared to earlier version.

For example, the OTP is not hex characters. I see lowercase a-z and it is always 44 chars in length.

In soapd.log I see: 

[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] New openotpLogin SOAP request
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] > Username: testing
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] > Domain: Default
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] > OTP Password: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] > Client ID: OpenOTP
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] Registered openotpLogin request
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] Found LDAP user: cn=testing,o=Root
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] Locked user account
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] Found user settings: LoginMode=OTP,OTPType=TOKEN,OTPLength=6,ChallengeMode=1,Cha$
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] Found user data: TokenType,TokenKey,TokenState,TokenID,LoginCount
[Wed Jul 04 21:14:11 2012] [127.0.0.1] [OpenOTP_A5295378] Wrong YUBIKEY password
[Wed Jul 04 21:14:13 2012] [127.0.0.1] [OpenOTP_A5295378] Sent failure response

[Administrators]

Yes my mistake: Yubikey OTP is called "modhex". It is not hex - that's
normal.
It's the registration which is hex.

[NewUsr]

Based on the soapd.log details, can you provide any clues on what may be going wrong ? 

[Administrators]

If the registration is wrong or settings are wrong there will be some
useful details.
But I suppose here it will just say the OTP password is wrong.
In this case you should look at the Yubikey setup.

- It must be Yubikey and NOT OATH.
- It must be setup with a private ID (OpenOTP requires it).
- Better have the Yubikey not send the public ID with the OTP.

[NewUsr]

My set-up is compliant with your first and third point. Regarding, second point (private ID), I have some questions. 

Does OpenOTP provide Yubikey validation by forwarding requests to Yubicloud service; or does it directly authenticate through the Yubikey Private ID added during device registration?

If you directly authenticate, then the Yubikey must be configured to use its Slot 2 to create a new profile for OpenOTP validation, correct ? I did not find this in documentation, and have been using the standard configuration (Slot 1 : configured to work with Yubicloud), which may explain why it does not work ?

[Administrators]

OpenOTP does the authentication itself based on the registered secret
key and private ID. It does not use Yubicloud services.
And we force using the private ID because it brings an additional
layer of security to the Yubikey authentication process.

You should be able to setup your Yubikey to have its primary slot
configured for use with OpenOTP too.

[NewUsr]

Thanks. Programmed Yubikey through Personalization Tool and it works now !!