I’m trying to configure our Passbolt instance (2.10.0) to use a Yubikey OTP.
As explained in the guide here: https://help.passbolt.com/configure/mfa/yubikey.html
I’ve created an API key. However it seems that the Key secret I got is too long for the passbolt entry field.
The key I received is 27 characters long in the form of xxxxxxxxxxxxxxxxxxxxxxxxxxx= while the documentation seem to show a secret key of 23 characters in the form xx/xxxxxx/xxxxxxxxxxxx=
Maybe there is a change in the Yubikey system. My key is a Yubikey 5C Nano.
Ludovic
PS: we are a pro subscriber
remy
October 22, 2019, 9:19am
2
Hello @ldubost ,
That is strange. This indeed might be a change of behavior of the Yubicloud API.
I just tried with a Yubikey 5C nano and I got the secret key in 23 chars format.
Can you confirm you requested the key here: https://upgrade.yubico.com/getapikey/
If that’s the case we’ll need to relax the validation rules.
Sorry for the inconvenience, the documentation for Yubicloud is quite terse with regards to the expected formats.
Yes I can confirm this is where I got it.
remy
October 22, 2019, 4:18pm
4
@ldubost thanks for this, i’ll try to arrange a release asap to fix this, most likely next week.
remy
October 24, 2019, 10:33am
5
@ldubost I think I found the issue
Index: CHANGELOG.md
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- CHANGELOG.md (date 1565266637000)
+++ CHANGELOG.md (date 1571907709000)
@@ -3,6 +3,7 @@
This project adheres to [Semantic Versioning](http://semver.org/).
## [unreleased]
+- PB-818: Fix Yubicloud secret key does not validate when it contains a + char
## [2.11.0] - 2019-08-08
### Security fixes
Index: plugins/Passbolt/MultiFactorAuthentication/src/Utility/MfaOrgSettingsYubikeyTrait.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- plugins/Passbolt/MultiFactorAuthentication/src/Utility/MfaOrgSettingsYubikeyTrait.php (date 1565266637000)
+++ plugins/Passbolt/MultiFactorAuthentication/src/Utility/MfaOrgSettingsYubikeyTrait.php (date 1571907709000)
@@ -77,7 +77,7 @@
$errors[MfaSettings::PROVIDER_YUBIKEY][MfaOrgSettings::YUBIKEY_SECRET_KEY]['notEmpty'] = $msg;
} else {
$secretKey = $data[MfaSettings::PROVIDER_YUBIKEY][MfaOrgSettings::YUBIKEY_SECRET_KEY];
- if (!Validation::custom($secretKey, '/^[a-zA-Z0-9\/=]{10,128}$/')) {
+ if (!Validation::custom($secretKey, '/^[a-zA-Z0-9\/=\+]{10,128}$/')) {
$msg = __('Yubikey OTP secret key is not valid.');
$errors[MfaSettings::PROVIDER_YUBIKEY][MfaOrgSettings::YUBIKEY_SECRET_KEY]['isValidSecretKey'] = $msg;
}
Index: plugins/Passbolt/MultiFactorAuthentication/tests/TestCase/Controllers/OrgSettings/MfaOrgSettingsPostControllerTest.php
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- plugins/Passbolt/MultiFactorAuthentication/tests/TestCase/Controllers/OrgSettings/MfaOrgSettingsPostControllerTest.php (date 1565266637000)
+++ plugins/Passbolt/MultiFactorAuthentication/tests/TestCase/Controllers/OrgSettings/MfaOrgSettingsPostControllerTest.php (date 1571907709000)
@@ -116,7 +116,7 @@
],
MfaSettings::PROVIDER_YUBIKEY => [
'clientId' => '12345',
- 'secretKey' => 'i2/j3jIQBO/axOl3ah4mlgXlXUY='
+ 'secretKey' => 'i2/j3jIQBO/axOl3ah4mlgXlXU+Y='
],
MfaSettings::PROVIDER_DUO => [
'salt' => '__CHANGE_ME__THIS_MUST_BE_AT_LEAST_FOURTY_CHARACTERS_____',
remy
October 24, 2019, 10:35am
6
@ldubost how urgent is this issue for you? We can publish a v2.11.1 shortly if that’s a blocker from your side.
system
Closed
October 29, 2019, 10:35am
7
This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.