Yubikey support

I would to see yubikey supported as one of the ways to 2-factor auth.

See https://developers.yubico.com/

Status: 
Active

Comments

Are you referring specifically to YubiKey's cloud authentication service YubiCloud?

We could support that, but it would take some development work (similar to what was done for authy).

Doesn't Yubikey also support TOTP, which is already implemented in Webmin (and doesn't require dependency on an external service) ?

Yes Yubikey does use OTP if you can make that work that would be really cool.

Webmin already has support for the TOPT protocol for two-factor authentication, so if Yubikey supports that they it should work with no further changes on our side.

Each yubikey has to register first then you can use it for webmin logins. So you need to add code that will access yubicon's api to do this.

I'll look into this some more - on the Yubikey site it says TOTP is supported, but with some additional software.

Any news on this ?? I would love to get away from google auth soon.

@ JamieCameron Yubico made libs available. u2f protocol is more and more accepted (due use of facebook and google and many more) For me it would be also a great advantage to secure my web/virtualmins with yubikeys.

The T of Totp is indeed created by additional software. the yubikey has no battery or clock, so it can't create totp itself. Other mechanism yubikey does is challange/response, certificates, u2f, pgp, programmable passwordresponse (quite a nice little versitile device)

For your convience I added some links to dev pages: https://developers.yubico.com/OTP/ https://developers.yubico.com/yubico-perl-client/

If you are willing to give a bit guidance in howto implement these perl modules within webmin so we can pass authentication, I'm willing to help testing/poc drive.

Regards,

Thanks, I'll take a look at those APIs.

Replying to this old thread, instead of opening a new one, even though it's not Ubikey that I'm looking for, but general-purpose 2FA:

Would be really nice to have an open-source self-hosted solution, needing Google or an Authy key is a pain. And brute-force attacks are on the sharp rise.

An 2FA implementation based on U2F would be much better for Virtualmin, Webmin and Usermin, so that open-source 2FA clients can be used. See this page of gitlabs open-source self-hosted solution for all the choices available: https://docs.gitlab.com/ee/user/profile/account/two_factor_authenticatio...

Ilia's picture
Submitted by Ilia on Fri, 11/20/2020 - 06:36

Would be really nice to have an open-source self-hosted solution, needing Google or an Authy key is a pain.

How about just using oathtool tool to generate OTP?

oathtool --base32 --totp X23DDQZHGIA63W44

Not good enough?

Thank you for the pointer, but that's in command lines, and not using Virtualmin. Not available to "normal" users without ssh access or deep shell knowledge (and managing the system outside of Virtualmin which may call for future troubles), so imho not "good enough" (keep cool, just trying to help you guys by giving suggestions to help improve Virtualmin/Webmin).

When activating Two-Factor Authentication in Webmin / Webmin settings / Two-Factor Authentication setting, there are only 2 choices: Google and Authy. Would be nice to have a non-proprietary non-third-party dependant self-hosted open-source third choice (or that one replacing the two not needed anymore ones).

Maybe to clarify, I was talking about the server-side that can be self-hosted "inside Virtualmin" server-side and not depending on third-party services.

Ilia's picture
Submitted by Ilia on Fri, 11/20/2020 - 06:53

Not available to "normal" users without ssh access or deep shell knowledge (and managing the system outside of Virtualmin which may call for future troubles),

When using Ubikey, are there desktop and/or mobile clients (installable from Play Store or Apple Store) for generating OTP?

Would be really nice to have an open-source self-hosted solution, needing Google or an Authy key is a pain.

It would be use full, if you could describe what kind of pain is that exactly?

(keep cool, just trying to help you guys by giving suggestions to help improve Virtualmin/Webmin).

Thank you, we will consider it, if it's worth it, and more or the less easy to add.