Table of Contents
- Table of Contents
This is a fork of
cyrozap/python-vipaccess. Main differences:
- No dependency on
imagelibraries; you can easily use external tools such as
qrencodeto convert an
otpauth://URL to a QR code if needed, so it seems unnecessary to build in this functionality.
- Option to generate either the desktop (
VSST) or mobile (
VSMT) version on the VIP Access tokens; as far as I can tell there is no real difference between them, but some clients require one or the other specifically. There are also some rarer token types/prefixes which can be generated if necessary (reference list from Symantec)
- Command-line utility is expanded to support both token
provisioning (creating a new token) and emitting codes for an
existing token (inspired by the command-line interface of
stoken, which handles the same functions for RSA SecurID tokens
python-vipaccess is a free and open source software (FOSS) implementation of Symantec's VIP Access client.
If you need to access a network which uses VIP Access for two-factor authentication, but can't or don't want to use Symantec's proprietary applications—which are only available for Windows, MacOS, Android, iOS—then this is for you.
As @cyrozap discovered in reverse-engineering the VIP Access protocol (original blog post), Symantec VIP Access actually uses a completely open standard called Time-based One-time Password Algorithm for generating the 6-digit codes that it outputs. The only non-standard part is the provisioning protocol used to create a new token.
If you have
pip installed on your system, you can easily install the dependencies by running
pip install -r requirements.txt in the project root directory.
pip see the
pip installation documentation.
pip3 to automatically fetch Python dependencies. (Note that on most systems,
the Python 3.x version, while
pip invokes the Python 2.7 version; Python 2.7 is still supported, but not
recommended because it's nearing obsolescence.)
# Install latest development version $ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip # Install a tagged release # (replace "RELEASE" with one of the tag/release version numbers on the "Releases" page) $ pip3 install https://github.com/dlenski/python-vipaccess/archive/RELEASE.zip
If you have Docker installed, you can use
this prebuilt Docker image to run
docker run --rm kayvan/vipaccess provision -p -t VSST Credential created successfully: otpauth://totp/VIP%20Access:VSST1113377?secret=YOURSECRET&issuer=Symantec This credential expires on this date: 2020-06-05T15:26:26.585Z You will need the ID to register this credential: VSST1113377
And with your generated secret, use the
show command like this:
docker run --rm kayvan/vipaccess show -s YOURSECRET 935163
(This section covers the expanded CLI options of this fork, rather than @cyrozap's original version.)
Provisioning a new VIP Access credential
This is used to create a new VIP Access token: by default, it stores
the new credential in the file
.vipaccess in your home directory (in a
format similar to
stoken), but it can store to another file instead,
or instead just print out the "token secret" string with instructions
about how to use it.
usage: vipaccess provision [-h] [-p | -o DOTFILE] [-t TOKEN_MODEL] optional arguments: -h, --help show this help message and exit -p, --print Print the new credential, but don't save it to a file -o DOTFILE, --dotfile DOTFILE File in which to store the new credential (default ~/.vipaccess) -t TOKEN_MODEL, --token-model TOKEN_MODEL VIP Access token model. Normally VSST (desktop token, default) or VSMT (mobile token). Some clients only accept one or the other. Other more obscure token types also exist: https://support.symantec.com/en_US/article.TECH239895.html
Here is an example of the output from
vipaccess provision -p:
Credential created successfully: otpauth://totp/VIP%20Access:VSST12345678?secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&issuer=Symantec This credential expires on this date: 2019-01-15T12:00:00.000Z You will need the ID to register this credential: VSST12345678 You can use oathtool to generate the same OTP codes as would be produced by the official VIP Access apps: oathtool -d6 -b --totp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # 6-digit code oathtool -d6 -b --totp -v AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # ... with extra information
Here is the format of the
.vipaccess token file output from
vipaccess provision [-o ~/.vipaccess]. (This file is created with
read/write permissions only for the current user.)
version 1 secret AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA id VSST12345678 expiry 2019-01-15T12:00:00.000Z
Display a QR code to register your credential with mobile TOTP apps
Once you generate a token with
vipaccess provision -p, use
qrencode to display
otpauth:// URL as a QR code:
qrencode -t ANSI256 'otpauth://totp/VIP%20Access:VSSTXXXX?secret=YYYY&issuer=Symantec'
Generating access codes using an existing credential
vipaccess [show] option will also do this for you: by default it
generates codes based on the credential in
~/.vipaccess, but you can
specify an alternative credential file or specify the OATH "token
secret" on the command line.
usage: vipaccess show [-h] [-s SECRET | -f DOTFILE] optional arguments: -h, --help show this help message and exit -s SECRET, --secret SECRET Specify the token secret on the command line (base32 encoded) -f DOTFILE, --dotfile DOTFILE File in which the credential is stored (default ~/.vipaccess
As alluded to above, you can use other standard OATH-based tools to generate the 6-digit codes identical to what Symantec's official apps produce.