Yubikey for WordPress, Roundcube and Linux
Yubikey plugin for Roundcube
Roundcube is a webbased application for email access. Is has a modern web interface with drag and drop support. It support plugins to extend its functionality. There exists multiple plugins to login with a Yubikey, but most of that plugins are very old. The roundcube plugin website points to a very old plugin from june 2009 which isn’t updated afterwards. The Yubico wiki site lists some plugins, but those are for 0.2 and 0.3 versions of Roundcube and are very old too. Most recent Roundcube version is 0.7.2 at time of writing.
But I found a blog from Luis Aranguren which lead me to a more recent version of the plugin which supports the 0.7.x versions of Roundcube. The code is available on github: https://github.com/northox/roundcube-yubikey-plugin.
I will show how to install and configure the plugin. The concept is to request an API Key which allows authentication by Yubico, install the plugin in Roundcube, insert the API Key in your configuration, enable the plugin and enable users to use the Yubikey for authentication.
Preparations: Get Yubico API Key
The Yubikey plugin needs access to Yubico servers for authentication. Yubico accepts authentication-requests only when the authentication data is provided with an valid ID and API key. These two can be obtained on a Yubico website for API Key requests. Yubico has changed this URL recently, the included documentation still points to the old URL. The correct URL is https://upgrade.yubico.com/getapikey.
Visit the ‘Yubico Get API Key’ website on https://upgrade.yubico.com/getapikey. Insert your mail-address and press the touch-button of your Yubikey once to get the API Key and a Client ID. Keep these for later use.
Installation of the Yubikey plugin in Roundcube
Open a terminal and change to the Roundcube plugins directory. Download the plugin using the ‘git’ command as mentioned below. A new directory with the name ‘yubikey_authentication’ will be created in the plugins directory. Make sure the directory is exactly named like this.
$ cd /var/www/roundcube/plugins/ $ sudo git clone git://github.com/northox/roundcube-yubikey-plugin.git yubikey_authentication Initialized empty Git repository in /var/www/roundcube/plugins/yubikey_authentication/.git/ remote: Counting objects: 17, done. remote: Compressing objects: 100% (11/11), done. remote: Total 17 (delta 5), reused 17 (delta 5) Receiving objects: 100% (17/17), 13.13 KiB, done. Resolving deltas: 100% (5/5), done. $
Now add the API Key and Client ID to the configuration. This is required to allow authentication by the Yubico servers. Edit the ‘config.inc.php’ in the plugin’s directory. The comments in the configuration file points to an outdated URL. The correct URL is https://upgrade.yubico.com/getapikey. You requested this API key and client ID earlier.
Note: I have removed parts of my ID and API Key with asterisks to protect my private data.
<?php // enable / disable yubikey authentication $rcmail_config['yubikey'] = TRUE; // yubikey API key & ID needed to access the web service API. Visit https://api.yubico.com/get-api-key/ $rcmail_config['yubikey_api_id'] = '8**3'; $rcmail_config['yubikey_api_key'] = 'Vnx************************='; $rcmail_config['debug_logger']['yubikey'] = 'yubikey'; ?>
Now enable the plugin. Edit the roundcube main-config file in ‘config/main.inc.php’. Add ‘yubikey_authentication’ to the plugins config.
$rcmail_config['plugins'] = array('yubikey_authentication');
The configuration on the server should be done. Just go to the Roundcube loginpage.
The login-page shows an extra authentication field. This field is required when a user has enabled the Yubikey for authentication in his settings. If the user has disabled Yubikey authentication or did not assign a Yubikey to his settings, the field can left empty during login. The first time, log in with just username and password, leave the OTP field empty.
When logged in into Roundcube you have to assign a Yubikey to your profile. Go to ‘Settings’, ‘Server Settings’ and select the ‘Require Yubikey OTP’. Press the touch-button in the ‘Yubikey ID’ field and click ‘Save’.
You should now be ready to login into Roundcube with your Yubikey, but I suffered from an annoying bug which prevents me to login. See Bug #1. I found multiple bugs unfortunately…
Bug #1: Yubikey plugin will not authenticate to Yubico by HTTPS
I found some bugs using the Yubikey plugin. When I finished configuring it did not allow me to login using the Yubikey. The plugin passes the OTP code on to the Yubico servers. Default this is done by HTTPS but somehow this failed.
Login failed while OTP code is fine.
I tried to disable HTTPS and fall back to plain HTTP reconfiguring the file ‘plugins/yubikey_authentication/lib/Yubico.php’. I tried to do that using the variables in the scripts, but I didn’t get it to work. Finally I changed the prefix from ‘https’ to ‘http on line 309’. See the change below.
306 { 307 /* Support https. */ 308 if ($this->_https) { 309 $query = "http://"; 310 } else { 311 $query = "http://"; 312 }
Removed the ‘s’ from ‘https://’ in line 309 of ‘plugins/yubikey_authentication/lib/Yubico.php’.
After I changed the ‘https’ to ‘http’ I was able to successfully log in to Roundcube using the Yubikey. But there are some more bugs…
Tip: If you cannot login to Roundcube and locked yourself out you can disable the Yubikey plugin in the Roundcube configuration.
Bug #2: Checkbox shows always checked on, even when checked off
The user can manually disable the checkbox ‘Require Yubikey OTP’ to disable authentication with the Yubikey. The setting of this checkbox should be remembered, and it actually is. But the checkbox will not load the current setting from the database and always show the checkbox enabled. When saving, the current status of the checkbox (which is always on) will be saved and overwrite the current setting.
Bug #3: Yubikey ID is empty when changing language
I configured the Yubikey in Dutch language. I changed the language to English to create some screenshots and found out that the Yubikey ID was empty.
Bug #4: Outdated URL to get the API request
The documentation points to an outdated URL to get the API-Key. Yubico changed the URL and the roundcube plugin documentation is not yet updated.
Leave a Reply