Previous page Section 4.1.8. TOTP and HOTP (OATH) token Support Section 4.1.9. Yubikey Support (42 / 86)   Table of Contents Section 4.2. Edit RAdmin Configuration Next page

4.1.9. Yubikey Support Previous topic Parent topic Child topic Next topic

RAdmin can optionally support Yubikey tokens from Yubico (http://www.yubico.com Opens in new window). Yubico tokens are small USB devices that act like a keyboard and which type in a one-time-password when the button is pressed. They can be purchased from Yubico and issued to your users. Such tokens provide much higher levels of security than static passwords. Yubikey is supported on all RAdmin platforms.
Each Yubikey token has a unique Token ID (also called the public identity in Yubico documentation), and a secret AES cryptographic key. In order to authenticate a Yubikey token, the RAdmin database must contain a Yubikey record containing both the Token ID and the AES secret for that key. You can add new tokens into the RAdmin database with the RAdmin ‘Import Yubikey Tokens’ page. After a token is imported, it must be allocated to a user before that user can use the token to authenticate.
In order to enable Yubikey token support:
  1. Install Radiator in the usual way
  2. Install the Auth-Yubikey_Decrypter module from CPAN (www.cpan.org) and the Crypt::Rijndael module, also available from CPAN on the Radiator host.
  3. Install RAdmin as described above in this document.
  4. On the ‘Edit Radmin Configuration’ page enable the ‘Support Yubikey?’ option. Click ‘Update’.
  5. RAdmin web pages will now include ‘List Yubikey Tokens’ and ‘Import Yubikey Tokens’, and the Edit User page will include some new options for allocating and listing allocated Yubikey tokens.
  6. Configure Radiator based on the example configuration file Radiator/goodies/radminYubikey.cfg which shows how to authenticate using Yubikey token data held in the RAdmin database.
Exactly which Yubikey actions are available to a particular RAdmin user depends on the Permissions profile assigned to them. The Permissions profile individually controls whether a user can List, Allocate, Deallocate, and Import tokens.
The administrator will need to use YubiKey Manager or YubiKey Personalization Tool to program the Yubikey with a new 6 byte Token ID (public identity) and a random AES Secret (AES key), then enter the programmed Token ID and AES Secret into the Import Yubikey Tokens’ page.
Note
Support for Windows COM/ActiveX browser plugin for programming Yubikeys was removed in RAdmin 1.16.
Previous page Section 4.1.8. TOTP and HOTP (OATH) token Support Section 4.1.9. Yubikey Support (42 / 86)   Table of Contents Section 4.2. Edit RAdmin Configuration Next page