Ticket #1485264 (new Patches)

Opened 5 months ago

Last modified 6 weeks ago

Patch: Yubikey Authentication

Reported by: dirkm Owned by:
Priority: 5 Milestone: later
Component: Security issue Version: svn-trunk
Severity: normal Keywords: patch yubikey yubico authentication otp password
Cc:

Description

Hi,

I have created a patch to integrate Yubikey authentication into RoundCube. Yubikey's are small USB devices that generate one-time passwords. You can read about the Yubikey here.

This implementation uses Yubico's authentication web service. It includes main config settings to configure and enable/disable Yubikey authentication. Also, there are changes to the use settings and corresponding UI to allow users to enter his public ID and enable/disable authentication.

When enabled, in addition to "Username" & "Password," the login screen shows a third field "Yubikey OTP" (one-time password).

The patch was created against revision 1611.

This is a cool and useful feature that enhances security, but it might be kind of hard to test without an actual Yubikey. Feel free to contact me to work this out.

-D

Attachments

roundcube_yubikey.diff (12.1 kB) - added by dirkm 5 months ago.
Yubikey Authentication Patch
roundcube_yubikey.rev1968.diff (12.2 kB) - added by dirkm 3 months ago.
Yubikey authentication patch (r1968)

Change History

Changed 5 months ago by alec

  • version changed from 0.2-alpha to svn-trunk
  • milestone changed from 0.2-beta to later

Changed 5 months ago by dirkm

This new patch now also includes the necessary changes to the main.inc.php.dist config file. If you are applying this patch against an existing installation of RoundCube, you will have to add the Yubikey config parameters manually to your config/main.inc.php file.

-D

Changed 5 months ago by dirkm

Yubikey Authentication Patch

Changed 3 months ago by dirkm

Yubikey authentication patch (r1968)

Changed 3 months ago by dirkm

Updated Yubikey authentication patch to work with release v0.2-beta. This patch was created against revision 1968 of the trunk.

Changed 6 weeks ago by JDiel

I've updated to the latest version of Roundcube and used your patch. Also got a API Id and API Key which I used in the config file - Also enabled Yubikey OTP in the config.

When I reload Roundcube, I see the extra input field for the Yubikey OTP, but when I only enter my username and password, I get into my mail without using the Yubikey. Also when I enter whatever string in the Yubikey field, I also get authenticated.

What am I doing wrong?

Thanks for your support!

Regards, Jeroen.

Changed 6 weeks ago by dirkm

Hi Jeroen,

It sounds like you have enabled Yubikey authentication for the whole Roundcube installation; however, you still need to enable and configure it for each individual user that wants to use a Yubikey to log in! I figured that not every user on a system can be expected to have a Yubikey. In other words, only once the system knows the user's login can it be determined whether this particular user is expected to provide a Yubikey token. That is why the "Yubikey OTP" field is always showing on the login screen.

To set up a user, do the following:

1. log in
2. click on "Personal Settings"
3. scroll down to the section entitled "Yubikey Authentication"
4. select the "Require Yubikey OTP" checkbox
5. put the cursor in the field labeled "Yubikey ID"
6. insert your Yubikey into the USB slow of your machine and put your finger on the Yubikey's activation pad

The above steps enable Yubikey authentication for your account and associate your personal Yubikey with your Roundcube login. If you go back into "Personal Settings," you should see the first 12 characters of your Yubikey token. Those are always the same and serve to identify you.

Here are some screenshots of this process that I posted to the Yubikey developers forum.

The next time you log in, you will have to provide a Yubikey token in the "Yubikey OTP" field on the login screen.

Let me know if you should have further questions.

-D

Changed 6 weeks ago by JDiel

Hi Dirk,

Thanks a lot for your reply, this worked out just great for me! Really awesome! :)

Regards, Jeroen.

Note: See TracTickets for help on using tickets.