14.2.1.2.20. Yubikey Token¶
-
class
privacyidea.lib.tokens.yubikeytoken.
YubikeyTokenClass
(db_token)[source]¶ The Yubikey Token in the Yubico AES mode
-
classmethod
api_endpoint
(request, g)[source]¶ This provides a function to be plugged into the API endpoint /ttype/yubikey which is defined in api/ttype.py
The endpoint /ttype/yubikey is used for the Yubico validate request according to https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html
Parameters: - request – The Flask request
- g – The Flask global object g
Returns: Flask Response or text
Required query parameters
Query id: The id of the client to identify the correct shared secret Query otp: The OTP from the yubikey in the yubikey mode Query nonce: 16-40 bytes of random data Optional parameters h, timestamp, sl, timeout are not supported at the moment.
-
check_otp
(anOtpVal, counter=None, window=None, options=None)[source]¶ validate the token otp against a given otpvalue
Parameters: - anOtpVal (string) – the to be verified otpvalue
- counter (int) – the counter state. It is not used by the Yubikey because the current counter value is sent encrypted inside the OTP value
- window (int) – the counter +window, which is not used in the Yubikey because the current counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value
- options (dict) – the dict, which could contain token specific info
Returns: the counter state or an error code (< 0):
-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int
-
check_otp_exist
(otp, window=None)[source]¶ checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.
-
static
check_yubikey_pass
(passw)[source]¶ if the Token has set a PIN the user must also enter the PIN for authentication!
This checks the output of a yubikey in AES mode without providing the serial number. The first 12 (of 44) or 16 of 48) characters are the tokenid, which is stored in the tokeninfo yubikey.tokenid or the prefix yubikey.prefix.
Parameters: passw (string) – The password that consist of the static yubikey prefix and the otp Returns: True/False and the User-Object of the token owner Return type: dict
-
static
get_class_info
(key=None, ret='all')[source]¶ returns a subtree of the token definition
Parameters: - key (string) – subsection identifier
- ret (user defined) – default return value, if nothing is found
Returns: subsection if key exists or user defined
Return type: s.o.
-
is_challenge_request
(passw, user=None, options=None)[source]¶ This method checks, if this is a request, that triggers a challenge.
Parameters: - passw (string) – password, which might be pin or pin+otp
- user (User object) – The user from the authentication request
- options (dict) – dictionary of additional request parameters
Returns: true or false
-
classmethod