How To Do Mass Enrolling Of Yubikey With LinOTP

Want to support HowtoForge? Become a subscriber!
Submitted by cornelinux (Contact Author) (Forums) on Mon, 2013-03-04 17:47. :: Security

How To Do Mass Enrolling Of Yubikey With LinOTP

The Yubikey comes shipped with a secret that can be used to authenticate against the Yubico online service. In many cases this it not acceptable since you wish to control your secret and the authentication process yourself.

The Yubikey also offers the possibility to work as an RFC compliant HOTP token. In a rollout process the secret HMAC key can be written to the Yubikey. To achieve this, Yubico also provides a python module.

LinOTP is a linux based open source authentication server, that supports many different OTP mechanisms like mOTP, TOTP, HOTP, OCRA, SMS, daily passwords and others. When initializing the Yubikey as an HOTP token, you can easily run the Yubikey with LinOTP.

Even since LinOTP 2.4.1 (current version at date of writing 2.5.0), which was already released in november 2011, LinOTP supports the mass enrolling of Yubikeys.


Installing LinOTP server

There are different ways to install the LinOTP server.

LinOTP is a python based web application. So you can install LinOTP from the scratch. All open source packages are published on the Pythen package index, so you can install LinOTP using preferred methods like easy_install or pip.

How to do this can be found here.

There are also deb-packages available either from the Homepage  or from a repository. This shows you how to use the repository to easily install LinOTP. The latest packages in the repository where built with Ubuntu 12.04 LTS.

So now we assume you have installed your LinOTP server, set up your administrator and configured your userstore.


Install the LinOTP admin client

LinOTP also provides an open source admin client, which is a command line client. It has some limit abilities, but it also provides features which the Web UI does not.

You can also install the admin client either using pip or the configured repository.

If you configured the repository installing the admin client is as easy as doing

apt-get install linotpadminclientce 

If you used easy_install or pip, you can install the client from PyPI.

pip install linotpadminclientce

Now you are done.


Enrolling Yubikeys

USB access

Usually your normal user will not have access to write the HMAC key to the Yubikey. You could either run the linotpadm command as root (bad idea) or define a udev rule, so that your console user can access the Yubikey.

Create a file /etc/udev/rules.d/70-yubikey-enrollment.rules:

vi /etc/udev/rules.d/70-yubikey-enrollment.rules

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
ACTION=="add|change", SUBSYSTEM=="usb", \
  ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \
  TEST=="/var/run/ConsoleKit/database", \
  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

(This was taken from yubikey-personalization.)


Enroll Yubikey

Now you can issue the command:

% -U https://localhost -a admin -C yubikey_mass_enroll

Which will give you the output:

Please enter password for 'admin':
Please insert the next yubikey and press enter (x=Exit):
{   u'status': True, u'value': True}
Please insert the next yubikey and press enter (x=Exit): x

You can insert as many Yubikeys as you like to and hit enter. When you are done enrolling all your Yubikeys, just enter 'x'. reads the serial number from the Yubikey and will put this token into the LinOTP token database with the serial YUBI123456 (according to the Yubikey serial number). Thus it is easy to identify, that this HOTP token in fact is a Yubikey.

The Yubikey serial number is printed on its back, so that you can now start assigning tokens to your users.

Happy Authenticating!

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.