sshimko/otp.txt

## otp.txt
In Yubikey tool:

1. Click OATH+HOTP tab

2. Click Advanced

3. Deselect token identifier.

4. Press Generate to create a new random seed.

5. Press the Write Configuration button to store the seed on the yubikey

6. Now, we need to convert the 20 byte that the yubi tool needs to the base 32 that FreeIPA (actually otpauth:// URIs need):
6a. Select all of the content the Secret Key field in the yubi app and copy it.

6b. At a command-line, run this replacing the hex string parameter with the hex string you just copied out of the yubi tool. Note: copying and pasting the following into a terminal may result in incorrect quotes being present leading to syntax errors. Check the quotes to ensure the double quotes are simply vertical quotes.
python -c 'import base64 as base64;print(base64.b32encode(base64.b16decode("0a 0b 0c 0d 0e 0f 01 08 0c 04 08 0e 06 0d 06 03 05 01 0b 08".upper().replace(" ",""))).decode("ascii"))'

6c. Have the resulting string output available for the next steps.

In FreeIPA web UI, logged in as an administrator (by default unprivileged users can't do this):

0. Goto -> Authentication -> OTP Tokens. Click Add.

1. Select Counter-Based (HOTP) a unique ID (username-HOTP).

2. In the “Key” field enter the base 32 encoding of the Yubikey tool’s 20 hex byte field (see python command above)

3. Set the appropriate user as the Owner.

4. Optional: save QR code for use in auth app. This isn’t that useful for HOTP, as the yubikey and other device will not have counters in-sync.

5. Click Add.

6. Go to the specified user in IPA GUI and change their User Authentication Type to Two Factor auth. Ensure that Two Factor auth is the only checkbox selected and save the change.

7. Have the user test it.
	In Yubikey tool:

	1. Click OATH+HOTP tab

	2. Click Advanced

	3. Deselect token identifier.

	4. Press Generate to create a new random seed.

	5. Press the Write Configuration button to store the seed on the yubikey

	6. Now, we need to convert the 20 byte that the yubi tool needs to the base 32 that FreeIPA (actually otpauth:// URIs need):
	6a. Select all of the content the Secret Key field in the yubi app and copy it.

	6b. At a command-line, run this replacing the hex string parameter with the hex string you just copied out of the yubi tool. Note: copying and pasting the following into a terminal may result in incorrect quotes being present leading to syntax errors. Check the quotes to ensure the double quotes are simply vertical quotes.
	python -c 'import base64 as base64;print(base64.b32encode(base64.b16decode("0a 0b 0c 0d 0e 0f 01 08 0c 04 08 0e 06 0d 06 03 05 01 0b 08".upper().replace(" ",""))).decode("ascii"))'

	6c. Have the resulting string output available for the next steps.

	In FreeIPA web UI, logged in as an administrator (by default unprivileged users can't do this):

	0. Goto -> Authentication -> OTP Tokens. Click Add.

	1. Select Counter-Based (HOTP) a unique ID (username-HOTP).

	2. In the “Key” field enter the base 32 encoding of the Yubikey tool’s 20 hex byte field (see python command above)

	3. Set the appropriate user as the Owner.

	4. Optional: save QR code for use in auth app. This isn’t that useful for HOTP, as the yubikey and other device will not have counters in-sync.

	5. Click Add.

	6. Go to the specified user in IPA GUI and change their User Authentication Type to Two Factor auth. Ensure that Two Factor auth is the only checkbox selected and save the change.

	7. Have the user test it.