14.2.1.2.25. Yubikey Token¶
- class edumfa.lib.tokens.yubikeytoken.YubikeyTokenClass(db_token)[source]¶
The Yubikey Token in the Yubico AES mode
Create a new token object.
- Parameters:
db_token (Token) – A database token object
- Returns:
A TokenClass object
- classmethod api_endpoint(request, g)[source]¶
This provides a function to be plugged into the API endpoint /ttype/yubikey which is defined in api/ttype.py
The endpoint /ttype/yubikey is used for the Yubico validate request according to https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html
- Parameters:
request – The Flask request
g – The Flask global object g
- Returns:
Flask Response or text
Required query parameters
- Query id:
The id of the client to identify the correct shared secret
- Query otp:
The OTP from the yubikey in the yubikey mode
- Query nonce:
16-40 bytes of random data
Optional parameters h, timestamp, sl, timeout are not supported at the moment.
- check_otp(anOtpVal, counter=None, window=None, options=None)[source]¶
validate the token otp against a given otpvalue
- Parameters:
anOtpVal (string) – the to be verified otpvalue
counter (int) – the counter state. It is not used by the Yubikey because the current counter value is sent encrypted inside the OTP value
window (int) – the counter +window, which is not used in the Yubikey because the current counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value
options (dict) – the dict, which could contain token specific info
- Returns:
the counter state or an error code (< 0):
-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int
- check_otp_exist(otp, window=None)[source]¶
checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.
- static check_yubikey_pass(passw)[source]¶
if the Token has set a PIN the user must also enter the PIN for authentication!
This checks the output of a yubikey in AES mode without providing the serial number. The first 12 (of 44) or 16 of 48) characters are the tokenid, which is stored in the tokeninfo yubikey.tokenid or the prefix yubikey.prefix.
- Parameters:
passw (string) – The password that consist of the static yubikey prefix and the otp
- Returns:
True/False and the User-Object of the token owner
- Return type:
dict
- static get_class_info(key=None, ret='all')[source]¶
returns a subtree of the token definition
- Parameters:
key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found
- Returns:
subsection if key exists or user defined
- Return type:
s.o.
- is_challenge_request(passw, user=None, options=None)[source]¶
This method checks, if this is a request, that triggers a challenge.
- Parameters:
passw (string) – password, which might be pin or pin+otp
user (User object) – The user from the authentication request
options (dict) – dictionary of additional request parameters
- Returns:
true or false