Opened 11 years ago

Closed 10 years ago

#580 closed task (fixed)

Authenticate users using YubiKey sticks

Reported by: Nicklas Nordborg Owned by: Nicklas Nordborg
Priority: blocker Milestone: YubiKey v1.0
Component: net.sf.basedb.yubikey Keywords:
Cc:

Description

The idea is to use the YubiKey one-time-password system for logging users into BASE. To be able to do this BASE ticket 1599 (http://base.thep.lu.se/ticket/1599) need to be implemented first.

The basic scheme goes something like this:

  1. The administrator of the BASE server assigns a YubiKey id to a user. This can be stored either in the 'externalId' field or as an extended property.
  2. When logging in, the user uses the YubiKey to fill in the "login" field and enters the "password" as usual. The usual login name is not used.
  3. The YubiKey login module check the BASE database for a user with the given YubiKey id. If a user is found, the key is sent to the "cloud" for verification. If no user is found the regular login/password authentication is used, but only users without any attached YubiKey id are allowed to use this.

Change History (10)

comment:1 by Nicklas Nordborg, 11 years ago

(In [2249]) References #580: Authenticate users using YubiKey sticks

Initial checkin of folder structure, build files, metadata and other information.

comment:2 by Nicklas Nordborg, 11 years ago

(In [2252]) References #580: Authenticate users using YubiKey sticks

First version of the authentication manager. Since we don't yet have any actual keys, the only validation so far is that the login is avalid YubiKey one-time-password. For testing purposes, 'cccccccbcjdifctrndncchkftchjlnbhvhtugdljibej' can be used.

comment:3 by Nicklas Nordborg, 11 years ago

(In [2255]) References #580: Authenticate users using YubiKey sticks

Updating code to make it compatible with BASE core after http://base.thep.lu.se/changeset/6425

comment:4 by Nicklas Nordborg, 11 years ago

(In [2256]) References #580: Authenticate users using YubiKey sticks

Adding extension that customizes the login form for YubiKey usage.

comment:5 by Nicklas Nordborg, 11 years ago

(In [2257]) References #580: Authenticate users using YubiKey sticks

Implemented actual verification of passwords against YubiCload. Seems to be working well. A manual configuration step to get a CLIENT_ID and CLIENT_KEY is needed when installing the extension for the first time. Instructions for this need to be written.

comment:6 by Nicklas Nordborg, 11 years ago

(In [2258]) References #580: Authenticate users using YubiKey sticks

Store YubiKey information as extended properties instead of in the 'externalid' field.

Check regular password before verifying the YubiKey password.

comment:7 by Nicklas Nordborg, 11 years ago

(In [2259]) References #580: Authenticate users using YubiKey sticks

Added a YubiKey tab in the 'Edit user' dialog. This should make it relatively easy to register/unregister a YubiKey with a certain user.

comment:8 by Nicklas Nordborg, 11 years ago

(In [2260]) References #580: Authenticate users using YubiKey sticks

Restricting write permission to YubiKey properties to administrators.

comment:9 by Nicklas Nordborg, 11 years ago

(In [2263]) References #580: Authenticate users using YubiKey sticks

Updating README.

comment:10 by Nicklas Nordborg, 10 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.