16.2.1.2.24. Yubikey Token¶
- class privacyidea.lib.tokens.yubikeytoken.YubikeyTokenClass(db_token)[source]¶
The Yubikey Token in the Yubico AES mode
Create a new token object.
- Parameters
db_token (Token) – A database token object
- Returns
A TokenClass object
- classmethod api_endpoint(request, g)[source]¶
This provides a function to be plugged into the API endpoint /ttype/yubikey which is defined in api/ttype.py
The endpoint /ttype/yubikey is used for the Yubico validate request according to https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html
- Parameters
request – The Flask request
g – The Flask global object g
- Returns
Flask Response or text
Required query parameters
- Query id
The id of the client to identify the correct shared secret
- Query otp
The OTP from the yubikey in the yubikey mode
- Query nonce
16-40 bytes of random data
Optional parameters h, timestamp, sl, timeout are not supported at the moment.
- check_otp(anOtpVal, counter=None, window=None, options=None)[source]¶
validate the token otp against a given otpvalue
- Parameters
anOtpVal (string) – the to be verified otpvalue
counter (int) – the counter state. It is not used by the Yubikey because the current counter value is sent encrypted inside the OTP value
window (int) – the counter +window, which is not used in the Yubikey because the current counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value
options (dict) – the dict, which could contain token specific info
- Returns
the counter state or an error code (< 0):
-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int
- check_otp_exist(otp, window=None)[source]¶
checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.
- static check_yubikey_pass(passw)[source]¶
if the Token has set a PIN the user must also enter the PIN for authentication!
This checks the output of a yubikey in AES mode without providing the serial number. The first 12 (of 44) or 16 of 48) characters are the tokenid, which is stored in the tokeninfo yubikey.tokenid or the prefix yubikey.prefix.
- Parameters
passw (string) – The password that consist of the static yubikey prefix and the otp
- Returns
True/False and the User-Object of the token owner
- Return type
dict
- static get_class_info(key=None, ret='all')[source]¶
returns a subtree of the token definition
- Parameters
key (string) – subsection identifier
ret (user defined) – default return value, if nothing is found
- Returns
subsection if key exists or user defined
- Return type
s.o.
- is_challenge_request(passw, user=None, options=None)[source]¶
This method checks, if this is a request, that triggers a challenge.
- Parameters
passw (string) – password, which might be pin or pin+otp
user (User object) – The user from the authentication request
options (dict) – dictionary of additional request parameters
- Returns
true or false