13.2.1.2.20. Yubikey Token¶
-
class
privacyidea.lib.tokens.yubikeytoken.
YubikeyTokenClass
(db_token)[source]¶ The Yubikey Token in the Yubico AES mode
-
classmethod
api_endpoint
(request, g)[source]¶ This provides a function to be plugged into the API endpoint /ttype/yubikey which is defined in api/ttype.py
The endpoint /ttype/yubikey is used for the Yubico validate request according to https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html
Parameters: - request – The Flask request
- g – The Flask global object g
Returns: Flask Response or text
Required query parameters
Query id: The id of the client to identify the correct shared secret Query otp: The OTP from the yubikey in the yubikey mode Query nonce: 16-40 bytes of random data Optional parameters h, timestamp, sl, timeout are not supported at the moment.
-
check_otp
(*args, **kwds)[source]¶ validate the token otp against a given otpvalue
Parameters: - anOtpVal (string) – the to be verified otpvalue
- counter (int) – the counter state. It is not used by the Yubikey because the current counter value is sent encrypted inside the OTP value
- window (int) – the counter +window, which is not used in the Yubikey because the current counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value
- options (dict) – the dict, which could contain token specific info
Returns: the counter state or an error code (< 0):
-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int
-
check_otp_exist
(*args, **kwds)[source]¶ checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.
-
static
check_yubikey_pass
(passw)[source]¶ if the Token has set a PIN the user must also enter the PIN for authentication!
This checks the output of a yubikey in AES mode without providing the serial number. The first 12 (of 44) or 16 of 48) characters are the tokenid, which is stored in the tokeninfo.
Parameters: passw (string) – The password that consist of the static yubikey prefix and the otp Returns: True/False and the User-Object of the token owner Return type: dict
-
static
get_class_info
(*args, **kwds)[source]¶ returns a subtree of the token definition
Parameters: - key (string) – subsection identifier
- ret (user defined) – default return value, if nothing is found
Returns: subsection if key exists or user defined
Return type: s.o.
-
is_challenge_request
(*args, **kwds)[source]¶ This method checks, if this is a request, that triggers a challenge.
Parameters: - passw (string) – password, which might be pin or pin+otp
- user (User object) – The user from the authentication request
- options (dict) – dictionary of additional request parameters
Returns: true or false
-
classmethod