Re: Using YubiKey for accounts.fedoraproject.org OTP?

Mon, 27 Sep 2021 09:20:33 -0700 

On 27. 09. 21 17:48, Kevin Fenzi wrote:

On Mon, Sep 27, 2021 at 04:28:03PM +0200, Miro Hrončok wrote:

On 27. 09. 21 16:07, Pierre-Yves Chibon wrote:

On Mon, Sep 27, 2021 at 03:27:43PM +0200, Miro Hrončok wrote:

Hello,

I've been trying to add the OPT token from accounts.fedoraproject.org to my
yubikey. I get a QR code and a otpauth://totp/username?secret=xxx URI.

I copypasted the xxx secret (56 characters: digits and uppercase letters)
and tried to add it via YubiKey Manager GUI via Applications/OTP as
OATH-HOTP (6 digits).

I get "Failed to configure Long Touch (Slot 2). undefined" error.

When I tried to use the CLI:

      $ ykman otp hotp -d 6 -c 0 2 xxx

I get "Error: key lengths >20 bytes not supported".

Is there a way to use YubiKey for accounts.fedoraproject.org OTP, or is the
device not compatible?


You may want to check: https://github.com/fedora-infra/noggin/issues/202


Thanks. From that ticket I am not quite sure what the status actually is and
what are the next step. Should I post my failed experiment there?


My understanding: IPA supports yubikey HOTP, but noggin (the web
frontend) does not. So, it's not supported currently. You must use TOTP.
:(

I'll poke that ticket and see if we can move forward tho.


Indeed. With help from bachradsusi/plautrba on IRC, I was able to do:

$ ykman oath add -o TOTP -d 6 -t accounts.fedoraproject.org <secret>

And now I can do:

$ ykman oath code accounts.fedoraproject.org
Touch your YubiKey...
accounts.fedoraproject.org  123456
Which is nice, however originally I wanted to be able to just touch the device to insert the code as if it was typed on my keyboard. That seems to work with my another HOTP-token based auth, but not with Fedora's TOTP one. 

So this seems to boil down to HOTP support in Noggin.

--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to