Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#892 closed enhancement (fixed)

Add support for enforcing YubiKey login depending on client

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: major Milestone: YubiKey v1.3
Component: net.sf.basedb.yubikey Keywords:
Cc:

Description

#609 added support for not using YubiKey login when certain client applications was used.

In some cases it might be desirable to enforce that YubiKey login is used (see #891). Typically, the normal behavior is to also accept users that has not been assigned a YubiKey (if they provide their regular username and a correct password).

When a client-application has been configured for enforcing YubiKey login it will not be possible for users without a YubiKey to login with that client.

The suggested fix is to specify a list of client application ids in the yubikey.properties file. Eg:

enforce-yubikey = net.sf.basedb.reggie.delivery

Change History (2)

comment:1 Changed 4 years ago by Nicklas Nordborg

Resolution: fixed
Status: newclosed

(In [3993]) Fixes #892: Add support for enforcing YubiKey? login depending on client

A list with client id values can now be specified in the require-yubikey configuration setting to require that YubiKey login is used.

A releated but slightly different change is that if someone is trying to login with valid YubiKey that is not connected to a user account the login is blocked. This case used to be ignored and passed back to the BASE core for internal authentication.

comment:2 Changed 4 years ago by Nicklas Nordborg

(In [3995]) References #892: Add support for enforcing YubiKey? login depending on client

Removed the text "users without a YubiKey? should login with their username" from the login form if the used client has been configured to require YubiKey login.

Note: See TracTickets for help on using tickets.