Created
February 22, 2020 09:39
-
-
Save mikem/9bca4663fb0fb01f69aaa3c3f0e4bc57 to your computer and use it in GitHub Desktop.
A small Ruby script to verify a Yubikey OTP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # A small script to verify a Yubikey OTP with Yubico. | |
| # Usage: curl $(./yubikey-verify.rb) | |
| require 'openssl' | |
| require 'base64' | |
| require 'cgi' | |
| require 'securerandom' | |
| yubico_id = 11111 | |
| yubico_secrets = { | |
| # This is a map of IDs to secrets. Create a secret at | |
| # https://upgrade.yubico.com/getapikey/ | |
| 11111 => 'secret', | |
| 11112 => 'sekret' | |
| } | |
| id = yubico_id | |
| nonce = SecureRandom.alphanumeric(26) | |
| STDERR.print "Touch the Yubikey! " | |
| otp = gets.chomp | |
| sl = 'secure' | |
| timeout = 10 | |
| def sign(id, secret, query_params) | |
| query_string = query_params.keys.sort.map { |k| "#{k}=#{query_params[k]}"}.join('&') | |
| key = Base64.decode64(secret) | |
| signature = CGI.escape( | |
| Base64.encode64( | |
| OpenSSL::HMAC.digest('sha1', key, query_string) | |
| ).chomp | |
| ) | |
| [query_string, signature] | |
| end | |
| params = { id: id, nonce: nonce, otp: otp, sl: sl, timeout: timeout } | |
| query_string, signature = sign(id, yubico_secrets[id], params) | |
| puts "https://api.yubico.com/wsapi/2.0/verify?#{query_string}&h=#{signature}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment