klali
commented
3 years ago if I remember correctly google authenticator uses base32 format for encoding the secret key and the ykpersonalize tool uses hex (base16) encoding.
Closed anarcat closed 3 years ago
klali
commented
3 years ago if I remember correctly google authenticator uses base32 format for encoding the secret key and the ykpersonalize tool uses hex (base16) encoding.
anarcat
commented
3 years ago if I remember correctly google authenticator uses base32 format for encoding the secret key and the ykpersonalize tool uses hex (base16) encoding.
that is what i found out about as well, except the yubikey uses 20 bytes while google uses 16. is there a way to tweak the former?
klali
commented
3 years ago Just pad it with zeroes, for hmac (which HOTP is) all keys can be considered to be padded out to 64 bytes with zeroes.
anarcat
commented
3 years ago Just pad it with zeroes, for hmac (which HOTP is) all keys can be considered to be padded out to 64 bytes with zeroes.
I tried this and failed. I filed an issue on the google side of things, we'll see how it goes.
hi!
reading the google-authenticator-libpam README file leads me to believe it uses a standard OATH HOTP protocol that should also work with the Yubikey. Yet when I generate a token, it is refused by
ykpersonalize:... it seems like the string generated by google-authenticator is too long. Yet even if I trim it to 20 characters (20 bytes?), I get the same error...
Is there a way to convert between the Google Authenticator secret format and the Yubikey one?
Update: it seems the Google authenticator secret is base32-encoded (and weirdly too:
base32 -ddoesn't like it). But with a little coercion, it can be converted to hex, although only 32 hex characters, not 40... so 16 bytes?Also: before someone suggests this, I tried setting a 20 bytes secret in google authenticator, and it doesn't seem to work.