Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

compatiblility with google-authenticator? #169

Closed
anarcat opened this issue Oct 14, 2020 · 4 comments
Closed

compatiblility with google-authenticator? #169

anarcat opened this issue Oct 14, 2020 · 4 comments

Comments

@anarcat
Copy link

anarcat commented Oct 14, 2020
edited
Loading

hi!

reading the google-authenticator-libpam README file leads me to believe it uses a standard OATH HOTP protocol that should also work with the Yubikey. Yet when I generate a token, it is refused by ykpersonalize:

$ google-authenticator -c -Q NONE -r 1 -R 30 -e 1 -w 3
Your new secret key is: [26 secret characters]
Your verification code is [6 secret digits]
Your emergency scratch codes are:
  [8 secret digits]

Do you want me to update your "/home/anarcat/.google_authenticator" file? (y/n) y
$ ykpersonalize -1 -o oath-hotp -o oath-hotp8 -o append-cr -a
Firmware version 3.4.3 Touch level 1797 Program sequence 2
 HMAC key, 20 bytes (40 characters hex) : [26 secret characters]
Invalid key string

... it seems like the string generated by google-authenticator is too long. Yet even if I trim it to 20 characters (20 bytes?), I get the same error...

Is there a way to convert between the Google Authenticator secret format and the Yubikey one?

Update: it seems the Google authenticator secret is base32-encoded (and weirdly too: base32 -d doesn't like it). But with a little coercion, it can be converted to hex, although only 32 hex characters, not 40... so 16 bytes?

Also: before someone suggests this, I tried setting a 20 bytes secret in google authenticator, and it doesn't seem to work.
@klali
Copy link
Member

klali commented Oct 14, 2020

if I remember correctly google authenticator uses base32 format for encoding the secret key and the ykpersonalize tool uses hex (base16) encoding.

@klali klali closed this as completed Oct 14, 2020
@anarcat
Copy link
Author

anarcat commented Oct 14, 2020

if I remember correctly google authenticator uses base32 format for encoding the secret key and the ykpersonalize tool uses hex (base16) encoding.

that is what i found out about as well, except the yubikey uses 20 bytes while google uses 16. is there a way to tweak the former?

@klali
Copy link
Member

klali commented Oct 14, 2020

Just pad it with zeroes, for hmac (which HOTP is) all keys can be considered to be padded out to 64 bytes with zeroes.

@anarcat anarcat mentioned this issue Oct 14, 2020
Closed
@anarcat
Copy link
Author

anarcat commented Oct 14, 2020

Just pad it with zeroes, for hmac (which HOTP is) all keys can be considered to be padded out to 64 bytes with zeroes.

I tried this and failed. I filed an issue on the google side of things, we'll see how it goes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@klali @anarcat