16.2.1.2.23. Yubikey Token

class privacyidea.lib.tokens.yubikeytoken.YubikeyTokenClass(db_token)[source]

The Yubikey Token in the Yubico AES mode

classmethod api_endpoint(request, g)[source]

This provides a function to be plugged into the API endpoint /ttype/yubikey which is defined in api/ttype.py

The endpoint /ttype/yubikey is used for the Yubico validate request according to https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html

Parameters:
  • request – The Flask request
  • g – The Flask global object g
Returns:

Flask Response or text

Required query parameters

Query id:The id of the client to identify the correct shared secret
Query otp:The OTP from the yubikey in the yubikey mode
Query nonce:16-40 bytes of random data

Optional parameters h, timestamp, sl, timeout are not supported at the moment.

check_otp(anOtpVal, counter=None, window=None, options=None)[source]

validate the token otp against a given otpvalue

Parameters:
  • anOtpVal (string) – the to be verified otpvalue
  • counter (int) – the counter state. It is not used by the Yubikey because the current counter value is sent encrypted inside the OTP value
  • window (int) – the counter +window, which is not used in the Yubikey because the current counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value
  • options (dict) – the dict, which could contain token specific info
Returns:

the counter state or an error code (< 0):

-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int

check_otp_exist(otp, window=None)[source]

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

static check_yubikey_pass(passw)[source]

if the Token has set a PIN the user must also enter the PIN for authentication!

This checks the output of a yubikey in AES mode without providing the serial number. The first 12 (of 44) or 16 of 48) characters are the tokenid, which is stored in the tokeninfo yubikey.tokenid or the prefix yubikey.prefix.

Parameters:passw (string) – The password that consist of the static yubikey prefix and the otp
Returns:True/False and the User-Object of the token owner
Return type:dict
static get_class_info(key=None, ret='all')[source]

returns a subtree of the token definition

Parameters:
  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found
Returns:

subsection if key exists or user defined

Return type:

s.o.

static get_class_prefix()[source]
static get_class_type()[source]
is_challenge_request(passw, user=None, options=None)[source]

This method checks, if this is a request, that triggers a challenge.

Parameters:
  • passw (string) – password, which might be pin or pin+otp
  • user (User object) – The user from the authentication request
  • options (dict) – dictionary of additional request parameters
Returns:

true or false

update(param, reset_failcount=True)[source]

Update the token object

Parameters:param – a dictionary with different params like keysize, description, genkey, otpkey, pin
Type:param: dict