yubikey | PHP library to interface with the Yubikey REST API

I am using openconnect --protocol=gp vpn.mysite.com and it says its connecting, but it is waiting for the SAML authentication. The command and authentication works on my debian machine it prompts for a username and password, but trying on my other linux machine it does not seem to want to prompt for authentication. This is the output:

I am trying to sign another public key using gpg --sign-key which then errors with signing failed: No secret key

Full output:

I am trying to use only .Net code to create a certificate request and submit the request to our on premise Active Directory PKI certificate authority, and get a certificate back. I have a solution that has been working for a few years, but it uses CERTCLILib and CERTENROLLLib, and I would like to shed these dependencies and port this code over to .Net 5.

These certificates are then imported onto a Yubikey device. We generate the key pair on the Yubikey and then use the public key with the CSR.

This question here Generate and Sign Certificate Request using pure .net Framework has been very helpful in getting a DER encoded CSR, but I still have a few questions that I haven't been able to figure out.

1. How do I specify the CA and the template to use in the CertificateRequest object?
2. I have a public key that is a RSAParameters object. How can I get that into an RSA object to use with the CertificateRequst constructor?
3. Once I have the DER encoded CSR, how do I submit that to the CA? I can't find any classes or methods in the System.Security.Cryptography.X509Certificates namespace that accomplishes that.

Here is my current code that is working that I want to port to .NET 5. Note that DeviceDetails contains properties about the Yubikey device and the CA and template. This code is part of a larger app that provisions Yubikey devices.

I know this topic has been widely discussed, but most of the examples are about two factor authentication in standard Django templates, while in my case i want to add two factor authentication to a project where Django is used as an API on the backend while the frontend is a native VueJS application.

For eveything authentication related, i'm using the built-in Django session authentication, since both frontend and backend are deployed on the same server.

My question is: how can i add two factor authentication (using google authenticator or yubikey) to a project where django is used as an API?

Here is the problem: the easiest way to do this would be to let the user login from the frontend, and once the user is logged in from /accounts/login (built-in django authentication view), submit a form where the user has to input their code. The problem with this approach is that once the user is logged in Django will create a session, so request.user.is_authenticated will return True even though the user didn't submit the Two Factor code yet, so everything would depend on the frontend. I don't like this approach because i'm afraid that someone might find a way to avoid submitting the two factor form and navigate on the rest of the site (since according to Django that session would be authenticated) without the two factor authentication

What i tried: I still have to write most of the code for this, because i want to understand how safe is it first. But here is my approach:

First approach

1. User submits the login form
2. Once the login form is submitted, a POST request with the credentials is sent to an endpoint called /authenticate in my Django app. This endpoint will use the Django built-in authenticate() method that will check if those credentials belong to a user without creating a session.
3. If the credentials belong to a user, it will return True to the user. At this point the user will submit a form with the 2FA code, and if the code is right, the request is sent to /accounts/login which will check again password and email and actually login the user and create the session, this time.

Second approach Another approach, that would be even better, would be to override the Django-Allauth login view so that i can add a check for the token, so something like (WARNING: pseudo-code):

I'm testing Yubico Yubikeys 5 NFC, in general, we use KeePassXC to save sensible information. KeePassXC accepts yubikeys but just one... Anyone know if it possible to add more than one to a kdbx file?

Look is it just me or doesn't the W3C spec say this should be happening already: -

1.2.2. Authentication

On a laptop or desktop:

User pairs their phone with the laptop or desktop via Bluetooth.

User navigates to example.com in a browser and initiates signing in.

User gets a message from the browser, "Please complete this action on your phone."

Next, on their phone:

User sees a discrete prompt or notification, "Sign in to example.com."

User selects this prompt / notification.

User is shown a list of their example.com identities, e.g., "Sign in as Mohamed / Sign in as 张三".

User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

Now, back on the laptop:

Web page shows that the selected user is signed in, and navigates to the signed-in page.

===============

My WebAuthn code happily interacts with Windows Hello for user verification via PIN. My Samsung Android phone happily interacts with the https://webauthn.appspot.com demo and accepts fingerprint verification.

But I can't seem to use my phone as an Security key like a YubiKey connected on my computer?

I can pair it with the PC via Bluetooth or tether it with a USB cable, but Windows will not recognize it as a security key.

Is this possible, or is the functionality restricted? If we could use our phone as security keys, we'd need no special dongles for platform agnostic authentication.

I am running into an issue in adding my .pem key to my ssh-agent. I have set up my Linux Ubuntu 20.04 system with Yubikey and it has worked great. Have not had any problems using my Yubikeys. Love the added security; however, when I run this specific command ssh-add -K I get this message Enter PIN for authenticator:. I typed in my pin number from my authenticator for GitHub and even pressed on my YubiKey but nothing processed through. Can anyone help me on this? I would greatly appreciate it.

I'm a little bit confused by what I need to do here for Python, but from the Yubikey API documentation for verifying Yubikeys that have YubiOTP the HMAC signature needs to be generated a specific way - from their documentation:

Generating signatures

The protocol uses HMAC-SHA-1 signatures. The HMAC key to use is the client API key.

Generate the signature over the parameters in the message. Each message contains a set of key/value pairs, and the signature is always over the entire set (excluding the signature itself), and sorted in alphabetical order of the keys. More precisely, to generate a message signature do:

• Alphabetically sort the set of key/value pairs by key order.

• Construct a single line with each ordered key/value pair concatenated using &, and each key and value contatenated with =. Do not add any linebreaks. Do not add whitespace. For example: a=2&b=1&c=3.

• Apply the HMAC-SHA-1 algorithm on the line as an octet string using the API key as key (remember to base64decode the API key obtained from Yubico).

• Base 64 encode the resulting value according to RFC 4648, for example, t2ZMtKeValdA+H0jVpj3LIichn4=.

• Append the value under key h to the message.

Now my understanding of their API from their documentation states the following valid request parameters:

• id - the Client ID from Yubico API
• otp - the YubiOTP value from the YubiOTP component of a yubikey.
• h - the HMAC-SHA1 signature for the request
• timestamp - empty does nothing, 1 includes the timestamp in the reply from the server
• nonce - A 16 to 40 character long string with random unique data.
• sl - a value of 0 to 100 indicating percentage of syncing required by client, or strings "fast" or "Secure" to use server values; if nonexistent server decides
• timeout - # of seconds to wait for sync responses; let server decide if absent.

I have a total of two functions I'm trying to use to try and handle all these things and generate the URL. Namely, we the HMAC support function and the verify_url_generate which generates the URL (and API_KEY is statically coded - my API Secret Key from Yubico):

I'm building a UI using PHP and jquery that will allow someone to type in a string and it will search apt search

What i want to do is separate (using php) the packaga name, the architecture just after the / and the description of the package just below the line of the package and architecture so i can push this data into a JSON collection and return it to jQuery.

I'm doing the following command: