Yubikey for WordPress, Roundcube and Linux
Conclusion
Maturity of YubicoCloud client software
During the process of preparing this article I installed all the mentioned software. Authentication software must be secure and must met a sufficient level of maturity. All the software I tested were considering bugs. Not all of them are problemetic…
When I installed the plugin for WordPress it still was version 0.94. During the installation process a URL was mentioned to get the API-Key. But Yubico changes the URL while the software wasn’t aware of this. It didn’t affect the functionality, only the guide-function for configuration. I wrote the developer which updated the plugin in a couple of days to 0.95.
The plugin for roundcube was more problemetic. It was hard to find a version for the current version of Roundcube (0.7.2). I found some old useless plugins for outdated Roundcube versions. When I found a working version it still pointed to the old URL to get the API-Key. Also, I had to manually change a file to change https traffic for YubiCloud to http. The plugin is experiencing a problem with a checkbox and the first 12 characters of the OTP code which assign the Yubikey to a user disappears when you change the interface language.
It looks like there is no real community which maintains the plugins. I suspect that there is only one developer for each plugin, and that’s not enough to respond quickly on changes and provide a mature piece of software. This can be annoying when your business depends on the Yubikey authentication.
The Yubico-pam module works fine. It has the new URL to get the API-Key, so it is recently updated. Installation for Ubuntu is very easy. The only problem is that the ‘dpkg-reconfigure’ software crashes when the API-Key contains a slash ‘/’ which should be a valid character.
The last problem I experienced was a nasty problem in combination with Virtualbox. The Yubikey works like a keyboard, so all characters should be transferred from the host to the Virtualbox guest. I noted that lots of authentication attempts failed but not all of them. After some investigation I learned that sometimes only 43 characters where forwarded to the Virtualbox guest, not 44. I suggest that the miliseconds between the individual keystrokes is a little to small and a times problem occurs. When I used USB redirection to connect the Yubikey directly to the Virtualbox guest the problem was gone. I did not further investigate the issue and don’t know how other visualization software like VMware behave on this. What I do know is that you can reconfigure the Yubikey and define the amount of miliseconds between the individual keystrokes. But to accomplish that you have to create a AES key yourself and upload it to Yubico.
Security
How about security? The Yubikey can protect against bruteforce attacks or offer some protection when your password only is not secure enough. It is definitely not a replacement for SSL on your webpage. SSL offers integrity protection, you are sure that you authenticate against the host you expected to be. Second, SSL encrypts all the traffic, including authentication data. The Yubikey does not. It is best to combine SSL with the Yubikey.
One more thing about SSL, or more the lack of it. All the plugins I testes used http without SSL to contact the Yubicloud. I wonder what happens if a intruder tries a man-in-the-middle attack between the application server and the Yubicloud. I can always return a fake a ‘Ok’ with the original OTP code if the complete request from the application server to the YubiCloud is captured. So SSL for this traffic should be considered. The Roundcube plugin had enabled SSL by default, but I was not able to authenticate until I disabled SSL to the YubiCloud.
Yubikey usage
So is the Yubikey with YubiCloud a good solution? Well, in design it is very safe. I think that authentication using the YubiCloud is only for home users or small businesses. Larger organizations would have authentication inside their borders and can use the Yubikey in OATH mode so they can manage their own authentication server and integrate it in enterprise-ready technologies like LDAP, SOAP, Radius and so on. Probably I write about the Yubikey in OATH mode in the future. If you want to stay with YubiCloud you should consider combinations with OpenID, Lastpass or YubiRadius which also support the YubiCloud.
References:
Yubico website: http://www.yubico.com/
Linux Journal and Yubikey: http://www.linuxjournal.com/article/10166
Get API-Key: https://upgrade.yubico.com/getapikey
Upload AES key: http://www.yubico.com/aes-key-upload
Validation protocol: http://code.google.com/p/yubikey-val-server-php/wiki/ValidationProtocolV20
OTP Code en Modhex: http://wiki.yubico.com/wiki/index.php/Yubikey
Modhex – why and what is it?: http://forum.yubico.com/viewtopic.php?f=6&t=96
Modhex calculator: http://demo.yubico.com/php-yubico/Modhex_Calculator.php
Linux Magazine (NL/Dutch) http://www.linuxmag.nl/sites/linuxmag.nl/files/bestanden/nl-linuxmag-yubikey.pdf
Wordpress plugin: http://wordpress.org/extend/plugins/yubikey-plugin/
Review Roundcube plugin: http://life.luisaranguren.com/blog/2012/02/12/yubikey-roundcube-mail-two-factor-authentication-webmail-client/
Roundcube plugin: https://github.com/northox/roundcube-yubikey-plugin
Yubico-pam wiki: https://github.com/Yubico/yubico-pam/wiki
Yubico-pam: https://github.com/Yubico/yubico-pam
Yubikey on an iPad: http://yubico.com/VidiPad2
Leave a Reply