[Question]: How does this work?

[prologic]

Can you explain at a high-level how this works? Maybe also add this to the README

I've gone through much of the code and this is my take away so far:

• User is prompted for Basic Auth
• User enters a username + password + taps yubikey
• proxy verifies user+pass; then yubikey with yubicloud

What isn't super clear to me is how the password + yubikey is expected to work here; The code has a hard-coded slice index of 44?

[JensRantil]

Hi! Sure!

So, (as you probably already know) Basic Auth takes two fields as input:

• User
• Password

To accomodate for the lack of a "Yubikey" field, this application inteprets the "Password" field as a "user-specific password, concatenated by the user's Yubikey OTP". The length of a Yubikey OTP is 44 characters. Obviously bad coding bad practise to not name that constant – I just fixed that in https://github.com/JensRantil/yubikey-basic-auth-proxy/pull/17.

So, https://github.com/JensRantil/yubikey-basic-auth-proxy/blob/master/web.go#L64 is simply extracting the 44 character suffix (the Yubikey OTP part) of the password field. The remaining prefix is the user password.

Worth pointing out that this project does not support U2F. If you are interested in that, #12 is up for grabs, or maybe have a look at something like https://github.com/tink-ab/login-service (which is a bit more heavyweight than this project).

Did that clarify things?

[prologic]

Yes thank you! The reason I'm interested in this project is to secure some internal resources I host from home that I'd like others to gain access to without having to VPN into my network. This project seems well suited to the kind of strong authentication I'd like. Speaking of U2F I'd probably be interested in getting this going since I'd also like to verify/track tokens and validations myself as well.

[JensRantil]

Sounds like a perfect use case. I created this project for a similar use case. Although, we migrated to use https://github.com/tink-ab/login-service instead, this project is definitely production ready. Closing this issue. Let me know if you have any questions.

[prologic]

:+1

James Mills / prologic

E: prologic@shortcircuit.net.au W: prologic.shortcircuit.net.au

On Mon, Jul 24, 2017 at 1:52 AM, Jens Rantil notifications@github.com wrote:

Closed #16 https://github.com/JensRantil/yubikey-basic-auth-proxy/issues/16.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JensRantil/yubikey-basic-auth-proxy/issues/16#event-1175711461, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOv-rFqBIzJvH1nnNGxqwUtzOQOtTP_ks5sRFtEgaJpZM4OglNg .