I ordered last week my own OTP token YubiKey. An alternative is possibly SweKey, but after lots of reading on both sites I came across their Security Evaluation. In the end I just found YubiKey friendlier.
So it arrived already a few days after I ordered, despite their statement that it is sent from the US, and it was infact sent from UK. I just finished setting my token up with Two-Factor-Authentication for SSH access and it works really well.
It actually supports any two of the three autentication mechanisms:
- Standard YubiKey 44 character one time pass code.
- OATH 6 or 8 digit one time password
- 1-44 character static pass code
Reading about OATH and remember that I actually have never seen it somewhere being used, made the decision quite quick, I just need to setup a static pass code – just in case. Watching the video on here was quite beneficial and made it quite easy to use their Personalization Tool.
So I kept pressing and kept looking at the generated OTP tokens… they look really neat:
and so forth.
So now to the interesting bit, using YubiKey OTP or SSH authentication. The necessary “generation of some binary data” for my system was nicely described on here, I just used the latest software versions.
So logging in by SSH with an OTP token works pretty nice. But I also wanted to have two-Factor-Authentication with it. Some changes to PAM as described on here sorted this last issue.
Next stage is then to use this on my OpenID configuration, as my OpenID provider CummunityID gives me YubiKey support. Which is even neater.
Setting up a SSL VPN with OpenVPN from Linux to Windows is just easy-peasy!
On here you can find the necessary information what is required to setup your own CA on Windows, it can create the necessary client keys as well. Configuring a OpenVPN on Linux (Ubuntu) cannto be easier, just stick in the certificates, thats it. The only issue I had was that LZO needed to be enabled. In addition it also support network-only routing, ie. the default gateway on the client is not changed. Thats handy.
I couldnt get it setup on my N900 yet… *g
I did not give up on OpenID. This is just too bad that it doesnt work.
Long story short:
- I got a proper SSL certificate for www.preissler.co.uk, where my actual OpenID provider is sitting at.
- ModSecurity got in the way, quite nasty.
So. It is working now, seriously, like a dream. All the issues I had with WordPress and Slashdot and others… hang on, actually I have not found any site where it is not working.
Ok. Next stop Yubikey. OTP with PIN.
I had good intentions. I wanted to make my own password-life easier and more comfortable. The foundation would have been OpenID – in later stage with Yubikey as a OTP generator.
But OpenID is not ready yet.
I installed my own authentication server / identity Community-ID, this worked so far. Authenticating from WordPress using my OpenID didnt work, WordPress always reported something like “no valid endpoint”. Wha? After some time I realized some sites work actually with OpenID, ie. a https://www.preissler.co.uk/openid/identity/thomas, some just dont.
So I setup then an OpenID delegation on http://openid.preissler.co.uk, pointing to my own authentication server. Sounds crazy, but has the bene fit that I could just swap the OpenID backend and thats it.
Trying it with WordPress again – and after fiddeling a long time with the actual server URL in combination with Community-ID and delegation I managed to get it working.
Sort of. At least the error message is different. Now it is “OpenID authentication failed: Server denied check_authentication”. After checking the internet a bit showed that this is some sort of reoccurring problemand has to do with the underlying OpenID PHP libraries / system libraries.
One funny thing at the end: I used my OpenID the first time on Slashdot – when it was still the long https://www.preissler…/identity/thomas URL. And some people on the internet are just saying “OpenID on Slashdot is just broken”. Even my shorter and nicer OpenID doesnt work on there – just the error message is different.
I have to give up here. Incompabilities, different implementations and such just dont make it really enjoyable. The other bit is whilst looking and testing there are not that many sites supporting it.
So I am just to drop this. What leaves is Yubikey – you could actually use OTPs on some websites, but without OpenID?