Patch: Yubikey Authentication

[dirkm]

Hi,

I have created a patch to integrate Yubikey authentication into RoundCube. Yubikey's are small USB devices that generate one-time passwords. You can read about the Yubikey ​here.

This implementation uses Yubico's authentication web service. It includes main config settings to configure and enable/disable Yubikey authentication. Also, there are changes to the use settings and corresponding UI to allow users to enter his public ID and enable/disable authentication.

When enabled, in addition to "Username" & "Password," the login screen shows a third field "Yubikey OTP" (one-time password).

The patch was created against revision 1611.

This is a cool and useful feature that enhances security, but it might be kind of hard to test without an actual Yubikey. Feel free to contact me to work this out.

-D

[dirkm]

This new patch now also includes the necessary changes to the main.inc.php.dist config file. If you are applying this patch against an existing installation of RoundCube, you will have to add the Yubikey config parameters manually to your config/main.inc.php file.

-D

[dirkm]

Yubikey Authentication Patch

[dirkm]

Yubikey authentication patch (r1968)

[dirkm]

Updated Yubikey authentication patch to work with release v0.2-beta. This patch was created against revision 1968 of the trunk.

[JDiel]

I've updated to the latest version of Roundcube and used your patch. Also got a API Id and API Key which I used in the config file - Also enabled Yubikey OTP in the config.

When I reload Roundcube, I see the extra input field for the Yubikey OTP, but when I only enter my username and password, I get into my mail without using the Yubikey. Also when I enter whatever string in the Yubikey field, I also get authenticated.

What am I doing wrong?

Thanks for your support!

Regards, Jeroen.

[dirkm]

Hi Jeroen,

It sounds like you have enabled Yubikey authentication for the whole Roundcube installation; however, you still need to enable and configure it for each individual user that wants to use a Yubikey to log in! I figured that not every user on a system can be expected to have a Yubikey. In other words, only once the system knows the user's login can it be determined whether this particular user is expected to provide a Yubikey token. That is why the "Yubikey OTP" field is always showing on the login screen.

To set up a user, do the following:

1. log in
   
2. click on "Personal Settings"
   
3. scroll down to the section entitled "Yubikey Authentication"
   
4. select the "Require Yubikey OTP" checkbox
   
5. put the cursor in the field labeled "Yubikey ID"
   
6. insert your Yubikey into the USB slow of your machine and put your finger on the Yubikey's activation pad
   

The above steps enable Yubikey authentication for your account and associate your personal Yubikey with your Roundcube login. If you go back into "Personal Settings," you should see the first 12 characters of your Yubikey token. Those are always the same and serve to identify you.

​Here are some screenshots of this process that I posted to the Yubikey developers forum.

The next time you log in, you will have to provide a Yubikey token in the "Yubikey OTP" field on the login screen.

Let me know if you should have further questions.

-D

[JDiel]

Hi Dirk,

Thanks a lot for your reply, this worked out just great for me! Really awesome! :)

Regards, Jeroen.

[dan]

now that there is a API for authentication you probably should port this to the API so that is future compatible. see ticket #1485224 for an example. Also see ​https://svn.roundcube.net/trunk/roundcubemail/plugins/autologon/ ​https://svn.roundcube.net/trunk/roundcubemail/plugins/http_authentication/

nice work

[alec]

​https://sourceforge.net/projects/yubikey-rc