Tech, Gadgets, Photography, Social Media and Poor Spelling

How To Do Mass Enrolling Of Yubikey With LinOTP


While you may have your Ubuntu install locked down with Full disk encryption incase you loose the laptop, UFW locking down the network with a firewall, there is no point if you have a poor password. Dual factor authentication using One Time Passwords may be an option for you, if they are this great howtoforge article might point you in the right direction.

The Yubikey comes shipped with a secret that can be used to authenticate against the Yubico online service. In many cases this it not acceptable since you wish to control your secret and the authentication process yourself.

The Yubikey also offers the possibility to work as an RFC compliant HOTP token. In a rollout process the secret HMAC key can be written to the Yubikey. To achieve this, Yubico also provides a python module.

LinOTP is a linux based open source authentication server, that supports many different OTP mechanisms like mOTP, TOTP, HOTP, OCRA, SMS, daily passwords and others. When initializing the Yubikey as an HOTP token, you can easily run the Yubikey with LinOTP.

Even since LinOTP 2.4.1 (current version at date of writing 2.5.0), which was already released in november 2011, LinOTP supports the mass enrolling of Yubikeys.


Installing LinOTP server

There are different ways to install the LinOTP server.

LinOTP is a python based web application. So you can install LinOTP from the scratch. All open source packages are published on the Pythen package index, so you can install LinOTP using preferred methods like easy_install or pip.

How to do this can be found here.

There are also deb-packages available either from the Homepage  or from a repository. This shows you how to use the repository to easily install LinOTP. The latest packages in the repository where built with Ubuntu 12.04 LTS.

So now we assume you have installed your LinOTP server, set up your administrator and configured your userstore.


Install the LinOTP admin client

LinOTP also provides an open source admin client, which is a command line client. It has some limit abilities, but it also provides features which the Web UI does not.

You can also install the admin client either using pip or the configured repository.

If you configured the repository installing the admin client is as easy as doing

apt-get install linotpadminclientce

If you used easy_install or pip, you can install the client from PyPI.

pip install linotpadminclientce

Now you are done.


Enrolling Yubikeys

USB access

Usually your normal user will not have access to write the HMAC key to the Yubikey. You could either run the linotpadm command as root (bad idea) or define a udev rule, so that your console user can access the Yubikey.

Create a file /etc/udev/rules.d/70-yubikey-enrollment.rules:

vi /etc/udev/rules.d/70-yubikey-enrollment.rules


# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.
ACTION=="add|change", SUBSYSTEM=="usb", \
  ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111", \
  TEST=="/var/run/ConsoleKit/database", \
  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

(This was taken from yubikey-personalization.)


Enroll Yubikey

Now you can issue the command:

% -U https://localhost -a admin -C yubikey_mass_enroll

Which will give you the output:

Please enter password for ‘admin’:
Please insert the next yubikey and press enter (x=Exit):
{   u’status’: True, u’value’: True}
Please insert the next yubikey and press enter (x=Exit): x

You can insert as many Yubikeys as you like to and hit enter. When you are done enrolling all your Yubikeys, just enter ‘x’. reads the serial number from the Yubikey and will put this token into the LinOTP token database with the serial YUBI123456 (according to the Yubikey serial number). Thus it is easy to identify, that this HOTP token in fact is a Yubikey.

The Yubikey serial number is printed on its back, so that you can now start assigning tokens to your users.

Happy Authenticating!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: