Authenticator support
-
- in progress
- UncleSam
- Thread is marked as Resolved.
-
-
Right now, my TODO list for the YubiKeyAuth plugin is as follow:
- Make the administrator able to setup the plugin through settings interface instead of having to edit plugin configuration file.
- Make use of Yubico OTP validation servers optional by allowing the administrator to setup his own OTP validation server(s).
- Add backup codes feature, allowing user to bypass 2FA in case of stolen key or whatever reason is. For instance: https://support.google.com/accounts/answer/1187538?hl=en
-
-
well I dunno how the authentication in imscp works under the hood but if you are doing multiple 2FA options, the backup keys should be essentially be a "global" solution (works with any 2FA a user sets up).
Own OTP Servers arent bad, but limited because they cannot really work with the standard YubiOTP which gets shipped but needs to be loaded with custom parameters which have to be agreed upon with the OTP server (that's where symmetrical crypto gets slightly annoying.)
-
-
-
The Yubico OTP protocol itself is open, but it relies on symmetrical keys, and the problem is that you wont have the keys that yubico shipped the yibus with. so you can add a yibico otp config with your own secrets and stuff onto the key but without doing that you dont have the needed data to decrypt the OTP.
pretty similar to the fact that AES is open, but you wont be getting anything decrypted without the key.
-
So why this? https://developers.yubico.com/…Cloud_Validation_Servers/
I'm a bit lost now. WIll give a try so. -
-
because you can set up yubiOTP Protocol with your own keys and if you have a setup where you use your keys and dont want to upload them into yubicloud you can make your own server.
this is a problem that U2F doesnt have, because it's an asymmetic concept where no private data has to be exchanged.
Yubikey OTP is a bit of a funny concept:the "Yubico Server" would be in that case whatever server wants to check the OTPs.
Thr Problem is that the "User AES Key" on this graphic is something that can only be obtained by setting up a Yubico OTP with your own keys and then uploading those to the validation server like this https://upload.yubico.com/ (only the AES key as well as the public and private Identity are relevant)the AES key is essentially used to decrypt the encrypted OTP and in the OTP there is essentially the counter and the Private ID which get checked against what the server knows.
so you can use your own "identity" of a yubikey with your own server but you wont be able to use the identities loaded on the keys by default with your own servers because the keys cant be extracted.
-
-
-
welll if the OTP Server has an interface for users uploading their keys or the users are szplied the keys through the company it would be possible but yeah in general it would be a lot less useful.
-
Hello.
Attached u can find the german translation!
@Nuxwin please review it!
EDIT:
Please have an look at this post for full german translation file: Authenticator support
Best regards.
-