BigRedBot
commented
7 years ago I have no idea how to find these files: curl.exe libcrypto.dll libssl.dll
Closed systemsplanet-zz closed 5 years ago
BigRedBot
commented
7 years ago I have no idea how to find these files: curl.exe libcrypto.dll libssl.dll
systemsplanet-zz
commented
7 years ago http://www.paehl.com/open_source/?CURL_7.52.1
mike lawrence
On Mar 17, 2017 3:16 AM, "BigRedBot" notifications@github.com wrote:
I have no idea how to find these files: curl.exe libcrypto.dll libssl.dll
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-287284013, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMTuPF7qaWKlfR7QPcjPSe7b0Y9TIks5rmjNCgaJpZM4LpWGf .
BigRedBot
commented
7 years ago Is there any way you can include the files, because I am not finding anything but curl.exe, and it is not working when I try it? No files are being downloaded by the script or anything.
Would be better altogether if you could include a link to a precompiled stand alone install that was created using this method. Something that just works when you run it without having to install anything...
systemsplanet-zz
commented
7 years ago Sorry I wrote the java-vipaccess. Can't help with the python version
mike lawrence 404 841 7800
On Mar 17, 2017 9:16 PM, "BigRedBot" notifications@github.com wrote:
Is there any way you can include the files, because I am not finding anything but curl.exe, and it is not working when I try it. No files are downloaded by the script or anything.
Would be better altogether if you could include a link to a precompiled stand alone install that was created using this method. Something that just works when you run it without having to install anything...
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-287506103, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMRVFW36URhm4xtuAHD1Djyd8enLhks5rmzBcgaJpZM4LpWGf .
BigRedBot
commented
7 years ago If I could get any of them to work so I no longer have to use Symantec VIP software, that would be great. I tried to figure out how to get your javascript to work also, with no luck. :(
Would be great if you could just make it into a stand alone utility that required absolutely NO additional installs other than the java runtime library....
Or at the very least detail exactly how to install everything else that you must have installed to use it. But it would be super terrific if that wasn't necessary. :)
I feel like something like this could easily be made standalone enough to be a simple utility that could be ran from a web page, or a simple stand alone program with a GUI. If I knew enough about the code myself, I would definitely convert it into something that any halfwit could run and use, without having to do anything special with it first just to get it to run.
The Symantec VIP software is terrible and I don't think anyone should have to be forced to use it. I already lost my credentials once because a phone I had was wiped, and I could have easily backed that up if I wasn't forced to use the Symantec VIP software.
systemsplanet-zz
commented
7 years ago The solution you are looking for (and I agree with you is needed) is probably a JavaScript port that runs in a browser (without nodejs). It's not trivial work since it requires crypto and OTP which may require a port from NodeJS to run in the browser. If I get some free time I may look into the port to browser JavaScript. The risk is Symantec could change the API in a way that breaks the JavaScript port.
I wrote the Java version because the python version was such a nightmare to install (without window admin rights). I even wrote an install.zip to simplify the python build but that assumes an existing curl and is brittle since some dependencies block automated downloads. https://forum.yubico.com/viewtopic.php?f=26&t=1617&sid=907f4e2c815a4b2f4069ffee9d2c2cdb&start=10
All you need for the Java-vipaccess version is Java and Maven, which are both trivial to install (just google... Apache Maven is just an unzip to install)
Once those are installed, follow this readme
https://github.com/systemsplanet/java-vipaccess/blob/master/README.txt
The java jar file created could easily be packaged using any of the existing apps that bundle a Java jar with a jvm into an exe. That's not something I'm interested in working on, as most people should be fearful of running an exe from the internet.
If you are interested in the java version, and can't get it to work after installing the jvm and Maven, I'm happy to help you get it working.
mike lawrence
On Mar 18, 2017 2:36 AM, "BigRedBot" notifications@github.com wrote:
If I could get any of them to work so I no longer have to use Symantec VIP software, that would be great. I tried to figure out how to get your javascript to work also, with no luck. :(
Would be great if you could just make it into a stand alone utility that required absolutely NO additional installs other than the java runtime library....
Or at the very least detail exactly how to install everything else that you must have installed to use it. But it would be super terrific if that wasn't necessary. :)
I feel like something like this could easily be made standalone enough to be a simple utility that could be ran from a web page, or a simple stand alone program with a GUI. If I knew enough about the code myself, I would definitely convert it into something that any halfwit could run and use, without having to do anything special with it first just to get it to run.
The Symantec VIP software is terrible and I don't think anyone should have to be forced to use it. I already lost my credentials once because a phone I had was wiped, and I could have easily backed that up if I wasn't forced to use the Symantec VIP software.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-287520672, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMUWBZevxRu3reX4JsksOh7VRpARyks5rm3tWgaJpZM4LpWGf .
BigRedBot
commented
7 years ago Before I attempt this, do I need to install just the java runtime library or do I also need to install the JDK?
I haven't googled it yet, but I am pretty sure I can figure out how to install Maven.
systemsplanet-zz
commented
7 years ago on a modern windows PC:
Open this page http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html
Select the radio button to accept the license
As a windows admin, select this file to install 64bit Java jre-8u121-windows-x64.exe http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jre-8u121-windows-x64.exe
Download this Maven zip http://www.gtlib.gatech.edu/pub/apache/maven/maven-3/3.3.9/binaries/apache-maven-3.3.9-bin.zip
Unzip it
Download this source code zip https://github.com/systemsplanet/java-vipaccess/archive/master.zip
Unzip it
Then follow the readme https://github.com/systemsplanet/java-vipaccess
mike lawrence
On Mar 20, 2017 2:50 AM, "BigRedBot" notifications@github.com wrote:
Before I attempt this, do I need to install just the java runtime library or do I also need to install the JDK?
I haven't googled it yet, but I am pretty sure I can figure out how to install Maven.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-287687824, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMeOHE6NtMMaHASrFXlpMd77mWmzrks5rniHMgaJpZM4LpWGf .
systemsplanet-zz
commented
7 years ago I just uploaded a single file JavaScript version of VIP Access with zero dependencies.
Unfortunately, Symantec has disabled their test website so I've not had a chance to test it. But it should be close if you want to give it a try.
https://github.com/systemsplanet/javascript-vipaccess
Sincerely, Mike Lawrence
On Mon, Mar 20, 2017 at 1:44 PM, Mike Lawrence mike@systemsplanet.com wrote:
on a modern windows PC:
Open this page http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads- 2133155.html
Select the radio button to accept the license
As a windows admin, select this file to install 64bit Java jre-8u121-windows-x64.exe http://download.oracle.com/otn-pub/java/jdk/8u121-b13/e9e7ea248e2c4826b92b3f075a80e441/jre-8u121-windows-x64.exe
Download this Maven zip http://www.gtlib.gatech.edu/pub/apache/maven/maven-3/3.3. 9/binaries/apache-maven-3.3.9-bin.zip
Unzip it
Download this source code zip https://github.com/systemsplanet/java-vipaccess/archive/master.zip
Unzip it
Then follow the readme https://github.com/systemsplanet/java-vipaccess
mike lawrence
On Mar 20, 2017 2:50 AM, "BigRedBot" notifications@github.com wrote:
Before I attempt this, do I need to install just the java runtime library or do I also need to install the JDK?
I haven't googled it yet, but I am pretty sure I can figure out how to install Maven.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-287687824, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMeOHE6NtMMaHASrFXlpMd77mWmzrks5rniHMgaJpZM4LpWGf .
BigRedBot
commented
7 years ago Does this only work with Yubikey and E*Trade? I personally want to try to use Authy for other sites such as ebay or paypal. If this can not be used for that, then I guess it will not be able to help me, unless there is some way to get it to work for that.
crme
commented
7 years ago Hi BigRedBot, I am presently using it exactly the way you intend to; with Authy for eBay & Paypal. Works perfectly fine!
BigRedBot
commented
7 years ago Oh, that's pretty cool. I tried to scan the qr code with authy and it said the code was invalid. Do I have to enter a code manually instead?
systemsplanet-zz
commented
7 years ago javascript-vipaccess should work with any TOTP client, including software and hardware:
TOTP Software Apps
Google Authenticator App https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
Authy https://play.google.com/store/apps/details?id=com.authy.authy
TOTP Hardware
Yubikey Neo https://www.yubico.com/products/yubikey-hardware/yubikey-neo/ A physical Yubikey Neo stores your secret keys safely off of your phone until needed, so it is a magnitude safer than any mobile app-only solution that can be remotly hacked to steel your keys. The Neo works with a Yubico NFC mobile app to provide the key for TOTP use cases.
I've been using Yubikey Neo for a year with gmail, github, Etrade, and Lastpass on my android phones, tablets, and windows workstations without a single issue.
U2F FYI, the most secure logins, including google and github, dont use TOTP. They use the Neo's FIDO Alliance https://fidoalliance.org/ Universal 2nd Factor (U2F) protocol. The U2F secret key never leaves the Neo hardware. Neo supports both U2F and TOTP so it is the best safest single-solution that works across platforms, in my opinion.
Mike Lawrence
On Mar 25, 2017 5:57 AM, "BigRedBot" notifications@github.com wrote:
Does this only work with Yubikey and E*Trade? I personal want to try to use Authy for other sites such as ebay or paypal. If this can not be used for that, then I guess it will not be able to help me unless there is some way to get it to work for that.
Mike Lawrence
On Mar 25, 2017 5:57 AM, "BigRedBot" notifications@github.com wrote:
Does this only work with Yubikey and E*Trade? I personal want to try to use Authy for other sites such as ebay or paypal. If this can not be used for that, then I guess it will not be able to help me unless there is some way to get it to work for that.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-289201791, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMZSGskB6T88SqTjz9vbxjfecY3D9ks5rpOUjgaJpZM4LpWGf .
BigRedBot
commented
7 years ago Authy is saying that the secret key is invalid. I will give you an example of what it is giving me. I will not use this one, I am only putting it here as an example.
Credential ID: VSMT68457389 Secret Key: 1a7njrdx7c8ycv8qjj2d4ae8eb8442yypf0nn2gjbyv45rpbg9n0
Other than the secret key being rejected by authy so that I can't use it, the script seems to work exactly as I would like it to. :)
systemsplanet-zz
commented
7 years ago Thanks for trying it. I also verified Google Auth didn't like it either. It worked with the Yubikey App.
I'll need to do some research to understand what's wrong. Thanks for testing it.
Mike Lawrence
On Mar 25, 2017 7:37 PM, "BigRedBot" notifications@github.com wrote:
Authy is saying that the secret key is invalid. I will give you an example of what it is giving me. I will not use this one, I am only putting it here as an example.
otpauth://totp/VIP%20Access:VSMT68457389?issuer=Symantec&secret= 1a7njrdx7c8ycv8qjj2d4ae8eb8442yypf0nn2gjbyv45rpbg9n0&
[image: http://i.imgur.com/kZ5x603.png] https://camo.githubusercontent.com/29b564da923c9ba0db25193481586c53d23ba523/687474703a2f2f692e696d6775722e636f6d2f6b5a35783630332e706e67
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-289247173, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMURVnXUBeE0YNu5E3-4Jkzwc7wRNks5rpaUigaJpZM4LpWGf .
BigRedBot
commented
7 years ago I suspect that the secret key is formatted in a format that Google Authenticator is not compatible with. I am guessing that converting it into a format that it is compatible with Google Authenticator may make it compatible with all of the applications.
systemsplanet-zz
commented
7 years ago It is using base32 already.
The problem is likely the URL being created. Changing 3384/5 from
return "otpauth://" + u(OTP_TYPE) + "/" + u(APP) + ":" + u(id) + "?issuer=" + u(DIST_CHANNEL) +
To
return "otpauth://" + u(id) + "?" +
May fix if you want to give it a try.
mike lawrence 404 841 7800
On Mar 25, 2017 9:07 PM, "BigRedBot" notifications@github.com wrote:
I suspect that the secret key is formatted in a format that Google Authenticator is not compatible with. I am guessing that converting it into a format that it is compatible with Google Authenticator may make it compatible with all of the applications.
I am not sure what encoding the current one is using, but I imagine it would be a simple thing to convert it to a format that is accepted. I think it will work fine if the secret key is converted to Base32.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-289250742, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMRAX7A45LMOfb4Vu_N0qUbAvOxCQks5rpbpSgaJpZM4LpWGf .
BigRedBot
commented
7 years ago I actually fixed the invalid qr code error, but now it gives the invalid secret key error that I was getting when I manually enter in the information.
It seems like the average Base32 code is much shorter (and usually all caps, but I am not sure if that would make a difference at all). Are you sure it is encoding it the same way that Google Authenticator is expecting it to be?
crme
commented
7 years ago @ BigRedBot I created codes about 10 weeks ago on Linux. It took some fiddle but unfortunately I can't recall the steps in detail any more. But it works just fine and I use Authy every day. I generated some spare codes too, the looks like: VSST followed by 8 digits and 32 digits key
systemsplanet-zz
commented
7 years ago Thanks for figuring out what was wrong with the URL.
So now the issue is likely the base32 implementation is wrong (unlikely) or the AES decryption has an issue. I think AES may be returning a decoded secret key that is too long due to CBC padding.
I'll need to go back to the Java code and see what it returns vs the JavaScript AES
Thanks again.. I think it's pretty close.
mike lawrence
On Mar 26, 2017 3:52 AM, "BigRedBot" notifications@github.com wrote:
I actually fixed the invalid qr code error by replacing the function return with this: return "otpauth://" + u(OTP_TYPE) + "/" + u(APP) + "%3A" + u(id) + "%3Fsecret%3D" + secretBase32 + "%26issuer%3D" + u(DIST_CHANNEL)
But now it gives the invalid secret key error that I was getting when I manually enter in the information.
It seems like the average Base32 code is much shorter (and usually all caps, but I am not sure if that would make a difference at all). Are you sure it is encoding it the same way that Google Authenticator is expecting it to be?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cyrozap/python-vipaccess/issues/12#issuecomment-289264702, or mute the thread https://github.com/notifications/unsubscribe-auth/AAoUMRRt0X6ZCCYhwMYohn3gDG7e2asaks5rphkvgaJpZM4LpWGf .
BigRedBot
commented
7 years ago I submitted a pull request with a better fix for the qr code: https://github.com/systemsplanet/javascript-vipaccess/pull/1
cyrozap
The attached command file will download everything possible and create a portable install of vipaccess.exe.
open a windows command prompt and run mkdir e:\ProgramFiles\python-installer\gitbash
copy these three files from your git bash install to e:\ProgramFiles\python-installer\gitbash curl.exe libcrypto.dll libssl.dll
cd /d e:\ProgramFiles\python-installer unzip the attached install.cmd to the current path and run: install.cmd
Follow the prompts.
Good luck. Tested on Windows 7 without admin rights
Edit install.cmd PYTHONHOME setting to change the default install path install.zip
https://forum.yubico.com/viewtopic.php?f=26&t=1617&start=10