Yubiclip mangles OTP?

[jbrnd]

I have not been able to use Yubiclip (installed from Google Play) with my Yubikey Neo to authenticate myself via OpenVPN or OpenSSH. I followed the instructions at https://code.google.com/p/yubico-pam/wiki/YubiKeyAndOpenVPNviaPAM but authentication fails every time.

On the other hand, if I attach the Yubikey Neo to my Galaxy Nexus phone via a USB host cable and enter the OTP that way, everything works as it should.

So it appears that Yubiclip corrupts the one-time password in some subtle way - pasting from Yubiclip into a text editor on the phone reveals nothing obviously wrong with the OTP.

How would I go about debugging this further?

[jbrnd]

A clue may be that if I choose to let Firefox handle the NFC event rather than Yubiclip, Firefox opens the URL https://my.yubico.com/neo/[OTP] and this web page says that authentication failed, with status REPLAYED_OTP. But the identity and serial number of the key are recorded correctly on that page.

[jbrnd]

I discovered a workaround for the problem: before, at the Android password prompt, I first typed the user password, then pasted in the OTP and authentication would fail every time.

But if I first paste in the OTP, then go back to the beginning of the string and type in the user password, authentication works reliably. How can this be?!

I think the problem with Firefox and the authentication URL is unrelated.

[jas4711]

Interesting! Maybe it is the pasting that ends up corrupting the password? Have you checked that you didn't accidentally select part of the password before pasting the OTP? The YubiClip does very little here, and isn't involved after it has read the OTP and then copied it into the clipboard buffer. So it seems that the problem is probably not really related to YubiClip, but still it would be useful to track down what exactly is happening because I think your use case is exactly what we intend YubiClip to be used for.

It would be interesting to see what ends up being sent to the other side when it fails, any chance you could get that information out of the server? Maybe through the PAM module used by OpenSSH for two-factor auth.

I also note that if YubiClip had a keyboard input method (see #1), things would be easier for you: instead of having to paste the OTP, the OTP would just appear when you swipe it.

[jbrnd]

I'm pretty sure I didn't select the password before pasting. The problem appears both on my Galaxy Nexus phone running Android 4.2.1 and my Nexus 7 tablet running Android 4.3 - I guess it's possible that this is some bug or quirk in Android. I'll see if I can manage to get PAM to print the password it receives.

[jbrnd]

Some PAM patching found the problem: first typing the user password, then pasting in an OTP adds a space (ASCII 32) between the user password and the OTP. Unfortunately I don't know enough about Android to be able to tell where this space comes from or what to do about it.

[jas4711]

Thanks for debugging this! It is probably Android trying to be helpful by adding the space. Resolving issue #1 will probably be the best solution for you, right? Or can you see any other solution being useful?

[jbrnd]

Yes, I believe making yubiclip a keyboard input method would be a good way to solve this issue. Apparently it's a known problem/bug in the Android copy-paste mechanism: https://code.google.com/p/android/issues/detail?id=41037

Or maybe Yubico has some leverage with Google to get this fixed on the Android side?

[jas4711]

Good link! Even if it were fixed in Android, a significant number of people would still run older Android versions, so I think any solution here should be generic. Implementing #1 seems like the best solution.

[nogweii]

This doesn't help users of older versions of Android, but this seems to have been fixed in Android 5 (Lollipop).