You misunderstood the point I think. Without the udev rules above, the U2F products are not usable by non-root users which is really bad. Eg, On my Debian desktop, I'm not connected as root user in normal context, I'm connected as nuxwin user (normal user without super privileges). Therefore, if I try to register my U2F device through google chrome on a site which provide U2F auth, this will not work because by default, the device is not readable/writable by user other than root. Hence, the user that put the USB stick into the USB port of the computer cannot use it... Of course, the udev rules above have to be added once by the root user. Normal users cannot edit udev conffiles. I must precise that the rules were been effective after rebooting only. There is surely a way to tell udev daemon to load them without rebooting but I've not searched more.
Authenticator support
-
- in progress
- UncleSam
- Thread is marked as Resolved.
-
-
I don't think i misunderstood.
To summarize what i readWithout the rules only root can use them
To set up the rules, root is needed
So one way or another, root is needed at least once to use u2f -
-
-
I don't exactly use linux all day so i dont rly know all the stuff in there.
But why can only root add new hardware? In Windows it didnt aak me to set up anything, and even though i am technically an Admin, i set it in a way it needs uac with password for ANYTHING that wants permissions, so i should have gotten a prompt, but well i didnt. -
-
Under linux (at least Debian) when you put a USB device into the USB port of your computer, there is some udev rules to apply on them (such as permissions). The rules depend on the product type and so on. If the system is not aware of how the permissions must be handled, access to those products is restricted by default. Under Windows, default permisssions are surely more relaxed, whatever the USB device you use or, the system has them already in its registry and knows already how to handle them. I don't use Windows anymore since 2005, excepted when I must deal with HTML/JS tests under MSIE and so on (In that case, I use the laptop of my wife)... The problem for Debian is that the device database is not kept up to date... I'm even wondering if by default there is a list for such devices...
-
Well debian isn't really kept up to date anyway, php7 has to be pulled from dotdeb for example (and even they don't have 7.1)
-
-
We have deviated a lot. I moved our last posts into dedicated thread
See Deviated subject from Authenticator thread (why Debian will not include PHP 7.1 in Debian Stretch) -
yeah true. but seriously thanks for planning to put in U2F. putting the actual integration of imscp aside I may be able to help with it.
(I did code some U2F validation stuffs [based around yubico's library] so I can use them on my php sites)
-
-
It is clear enough (YubiKeyAuth plugin configuration file)?
Display MorePHP- <?php
- /**
- * i-MSCP YubiKeyAuth plugin
- *
- * @author Laurent Declercq <l.declercq@nuxwin.com>
- * @copyright (C) 2016 Laurent Declercq <l.declercq@nuxwin.com>
- * @license i-MSCP License <https://www.i-mscp.net/license-agreement.html>
- */
- return array(
- // Yubico OTP validation server URLs
- 'yubico_api_urls' => array(
- 'https://api.yubico.com/wsapi/2.0/verify',
- 'https://api2.yubico.com/wsapi/2.0/verify',
- 'https://api3.yubico.com/wsapi/2.0/verify',
- 'https://api4.yubico.com/wsapi/2.0/verify',
- 'https://api5.yubico.com/wsapi/2.0/verify'
- ),
- // Yubico client ID
- // See the README.md file inside the plugin archive to known how to get your Yubico client ID.
- 'yubico_client_id' => '',
- // Yubico base64 encoded API key
- // See the README.md file inside the plugin archive to known how to get your Yubico API key.
- 'yubico_api_key' => '',
- // Activate 1FA (Yubikey only) authentication mode (Default: false)
- //
- // Setting this parameter to TRUE allow authentication using a Yubikey only, without the need to enter any
- // credentials.
- 'yubikey_only_auth' => false,
- // Whether or not usage of a Yubikey is mandatory in the authentication process (default: false)
- // Enabling this only make sense if all users have already a Yubikey associated with their accounts.
- 'yubikey_mandatory' => false,
- // How many YubiKeys a user is allowed to associate with his i-MSCP account? (Default: 3)
- 'yubikey_per_user' => 3
- );
-
I dunno if you guys check the timestamp (t) of the response, but if yes a tolerance window for that may be helpful so that (for some or another reason) too old validations cant be used but there would be a certain tolerance e.g. for clock drifts and stuff
-