Re: Using YubiKey for accounts.fedoraproject.org OTP?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 27. 09. 21 17:48, Kevin Fenzi wrote:

On Mon, Sep 27, 2021 at 04:28:03PM +0200, Miro Hrončok wrote:

On 27. 09. 21 16:07, Pierre-Yves Chibon wrote:

On Mon, Sep 27, 2021 at 03:27:43PM +0200, Miro Hrončok wrote:

Hello,

I've been trying to add the OPT token from accounts.fedoraproject.org to my
yubikey. I get a QR code and a otpauth://totp/username?secret=xxx URI.

I copypasted the xxx secret (56 characters: digits and uppercase letters)
and tried to add it via YubiKey Manager GUI via Applications/OTP as
OATH-HOTP (6 digits).

I get "Failed to configure Long Touch (Slot 2). undefined" error.

When I tried to use the CLI:

      $ ykman otp hotp -d 6 -c 0 2 xxx

I get "Error: key lengths >20 bytes not supported".

Is there a way to use YubiKey for accounts.fedoraproject.org OTP, or is the
device not compatible?


You may want to check: https://github.com/fedora-infra/noggin/issues/202


Thanks. From that ticket I am not quite sure what the status actually is and
what are the next step. Should I post my failed experiment there?


My understanding: IPA supports yubikey HOTP, but noggin (the web
frontend) does not. So, it's not supported currently. You must use TOTP.
:(

I'll poke that ticket and see if we can move forward tho.


Indeed. With help from bachradsusi/plautrba on IRC, I was able to do:

$ ykman oath add -o TOTP -d 6 -t accounts.fedoraproject.org <secret>

And now I can do:

$ ykman oath code accounts.fedoraproject.org
Touch your YubiKey...
accounts.fedoraproject.org  123456
Which is nice, however originally I wanted to be able to just touch the device to insert the code as if it was typed on my keyboard. That seems to work with my another HOTP-token based auth, but not with Fedora's TOTP one. 

So this seems to boil down to HOTP support in Noggin.

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux