Yubikey + FreeIPA Manual Setup

otp.txt

In Yubikey tool:

1. Click OATH+HOTP tab

2. Click Advanced 

3. Deselect token identifier.

4. Press Generate to create a new random seed.

5. Press the Write Configuration button to store the seed on the yubikey

6. Now, we need to convert the 20 byte that the yubi tool needs to the base 32 that FreeIPA (actually otpauth:// URIs need):
6a. Select all of the content the Secret Key field in the yubi app and copy it.

6b. At a command-line, run this replacing the hex string parameter with the hex string you just copied out of the yubi tool. Note: copying and pasting the following into a terminal may result in incorrect quotes being present leading to syntax errors. Check the quotes to ensure the double quotes are simply vertical quotes.
python -c 'import base64 as base64;print(base64.b32encode(base64.b16decode("0a 0b 0c 0d 0e 0f 01 08 0c 04 08 0e 06 0d 06 03 05 01 0b 08".upper().replace(" ",""))).decode("ascii"))'

6c. Have the resulting string output available for the next steps.

In FreeIPA web UI, logged in as an administrator (by default unprivileged users can't do this):

0. Goto -> Authentication -> OTP Tokens. Click Add.

1. Select Counter-Based (HOTP) a unique ID (username-HOTP).

2. In the “Key” field enter the base 32 encoding of the Yubikey tool’s 20 hex byte field (see python command above)

3. Set the appropriate user as the Owner.

4. Optional: save QR code for use in auth app. This isn’t that useful for HOTP, as the yubikey and other device will not have counters in-sync.

5. Click Add.

6. Go to the specified user in IPA GUI and change their User Authentication Type to Two Factor auth. Ensure that Two Factor auth is the only checkbox selected and save the change.

7. Have the user test it.

This gist provides basic guidance in configuring Yubico's Yubikeys for use with FreeIPA and maybe Red Hat's Identity Manager (though I haven't used it).

While there is an IPA plugin for configuring Yubikey's for IPA, it requires the admin to have physical access to the IPA server as the Yubikeys need to be inserted into the IPA host during the provisioning process. Additionally, I was never successful in using USB pass-through with ESXi with the Yubikey's HID features. The instructions in this Gist allow you to configure Yubikeys remotely without physical access.

Thanks!

Python command is working only with Python 2.7 not Python 3.x.
And the key is only available as administrator not as a simple user.

Thanks for the guide!!

@goldyfruit thanks. I updated the gist to reflect the need for admin privs and modified the python command to behave the same in both python 2 and 3.

@goldyfruit thanks. I updated the gist to reflect the need for admin privs and modified the python command to behave the same in both python 2 and 3.

👍

Step six for the yubi tool mentions a 20 byte value and the Secret Key field. There is only one of those :) I will clarify that it is for the personalization tool though because there are a number of tools and it is helpful to know which one is needed.

I did not describe fields whose default values are appropriate, such as the SHA value, as opposed to fields that must be changed from their default value, like the token identifier.

Screenshots like you posted would have been helpful from the outset. I didn't even think about it since I pretty much cope/paste a brain dump from a text file ina git repo ;) I'll have to add some next time I run through the process.

Thanks for the feedback!

I did a few tests with my YubiKey and OTP. For some reason the OTP is not working for from the HOTP but works with FreeOTP app.


@sshimko could you please show me what I did wrong?

@EsWees your moving factor is non-zero. I don't think IPA has a way to set a custom value for the moving factor. Try zero or one and give it another shot.

@EsWees your moving factor is non-zero. I don't think IPA has a way to set a custom value for the moving factor. Try zero or one and give it another shot.

Thank you alot. It works.

For me it keeps asking first then second factor. But this is not the biggest issue. The key generate numbers that are actually keystrokes. If 0 is actually ö (hungarian) character - or anything else you configure for keyboard - then it may not work. I changed back to UK layout but it still not accept the second factor.
Also first slot may have special role so when choosing slot the second is suggested to be selected. As far as I know second slot available for longer touch (1.5-2 secs)