13.2.1.2.20. Yubikey Token

class privacyidea.lib.tokens.yubikeytoken.YubikeyTokenClass(db_token)[source]

The Yubikey Token in the Yubico AES mode

classmethod api_endpoint(request, g)[source]

This provides a function to be plugged into the API endpoint /ttype/yubikey which is defined in api/ttype.py

The endpoint /ttype/yubikey is used for the Yubico validate request according to https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html

Parameters:
  • request – The Flask request
  • g – The Flask global object g
Returns:

Flask Response or text

Required query parameters

Query id:The id of the client to identify the correct shared secret
Query otp:The OTP from the yubikey in the yubikey mode
Query nonce:16-40 bytes of random data

Optional parameters h, timestamp, sl, timeout are not supported at the moment.

check_otp(*args, **kwds)[source]

validate the token otp against a given otpvalue

Parameters:
  • anOtpVal (string) – the to be verified otpvalue
  • counter (int) – the counter state. It is not used by the Yubikey because the current counter value is sent encrypted inside the OTP value
  • window (int) – the counter +window, which is not used in the Yubikey because the current counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value
  • options (dict) – the dict, which could contain token specific info
Returns:

the counter state or an error code (< 0):

-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int

check_otp_exist(*args, **kwds)[source]

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

static check_yubikey_pass(passw)[source]

if the Token has set a PIN the user must also enter the PIN for authentication!

This checks the output of a yubikey in AES mode without providing the serial number. The first 12 (of 44) or 16 of 48) characters are the tokenid, which is stored in the tokeninfo.

Parameters:passw (string) – The password that consist of the static yubikey prefix and the otp
Returns:True/False and the User-Object of the token owner
Return type:dict
static get_class_info(*args, **kwds)[source]

returns a subtree of the token definition

Parameters:
  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found
Returns:

subsection if key exists or user defined
Return type:

s.o.
static get_class_prefix()[source]
static get_class_type()[source]
is_challenge_request(*args, **kwds)[source]

This method checks, if this is a request, that triggers a challenge.

Parameters:
  • passw (string) – password, which might be pin or pin+otp
  • user (User object) – The user from the authentication request
  • options (dict) – dictionary of additional request parameters
Returns:

true or false