Open lsascha opened 2 years ago
I think I only implemented standard TOTP on CLI side, might be that.
Sorry to ask, but what does that mean exactly? Can i do something differently to get it to work? Does this need to be fixed?
I would also be happy to use Challenge-Response (https://richardbenjaminrush.com/keechallenge/) with my Solo2 Key, but i have no idea how to set this up using the CLI at all.
The following command sequence works for me on Linux (with dev-builds of firmware + CLI):
% solo2 app oath register -c 20 -k hotp -d 8 keepass JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP
keepass
% solo2 app oath totp keepass
08433023
% solo2 app oath totp keepass
52934625
Regarding challenge-response, we will not implement Yubico's HMAC-SHA1 functionality. The reason is that a) it's proprietary, b) SHA1 is deprecated, and c) FIDO has HMAC-SHA256 functionality built-in via the hmac-secret
extension. We don't currently have FIDO functionality implemented in the Solo 2 CLI, but the description for the Solo 1 CLI works: https://github.com/solokeys/solo-python#challenge-response
Yes it works, but only with the example secret you used as well. Which wonders me, because there must be a way to generate a usable secret here. How can i generate one? I will not use the example secret for it obviously.
And the secrets generated by keepass are not accepted.
You can take any secret you like and base32-encode it.
Linux example:
% export SECRET=$(head -c 32 /dev/urandom|base32 -w0)
% echo $SECRET
MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A====
% solo2 app oath register example ${SECRET}
example
% solo2 app oath totp example
563741
However, note that your counterparty will need this secret too; typically that party gives you the secret, base32-encoded.
What is an example from keypass?
Have you seen https://github.com/google/google-authenticator/wiki/Key-Uri-Format?
Oh. so the secret has to be Base32 encoded? Why does it work with the example secret then which seems to be not base32 encoded?
Still confused. But thanks anyway. will try it that way.
It is. You can omit the trailing equal signs.
hmmm, sorry I'm adding myself here, but I do have some strange problem:
~/tmp/solov2 ✖1 ❯ solo2 app oath register test MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A
Error: invalid length at 48
~/tmp/solov2 ✖1 ❯ solo2 app oath register test MBS2D6BLW543YA7XSKFL2BBTJX3WCB5VYHYFCQV7VJK24GVDST6A====
test
~/tmp/solov2 ❯ solo2 app oath totp test
Error: p1/p2 parameters not supported on this transport
Any idea what could be wrong?
solo2 app admin version 2:20220822.0 solo2 -V solo2 0.2.1
MacOS 12.6, M1
Hey running into the same issue as @theerror
Just getting back, to let you know that on Ventura it's working fine as far as I can say.
panelacek$ solo2 app oath totp test
814238
I was experiencing the p1/p2 parameters not supported on this transport
error as well. This comment mentions that OATH only works over PCSC but the PCSC daemon (pcscd
) wasn't running on my machine. After starting the service, I can use the above oath command just fine. Hope that helps someone.
Thanks for the discussion. I wanted to mention that the issue I ran into was that solo2
is expecting specific casing on the Base32 secret. By using oathtool
, you can generate the proper Base32 secret...
oathtool -b --verbose ${lowercase_base32_secret}
oathtool --verbose ${hex_secret}
Either of these should display Base32 secret
, which is compatible with solo2
. Sure, there are other ways of capitalizing a string, but this is helpful regardless of what type of secret you've been provided.
Hello. I am trying to secure my keepass database with OATH HOTP.
So in keepass it lets me generate a random 128-Bit Secret Key or an 256-Bit Secret Key. Since the example from the CLI is 128-Bit i went with that, but for some reason i am unable to get the CLI to accept the generated Key.
I am always getting
Error: invalid symbol at 4
etc. number always changing when generating a new Secret Key. Since i haven't found to let the CLI generate the Secret, i am a bit lost and the error is not really helpful what is wrong with the key. I tried to delete and replace the symbols at the mentioned locations but only got toError: invalid symbol at 0
And no matter what i change the first number/letter to, it stays at location 0.
Any idea or solution how this is supposed to work?
btw. using the example secret like this:
solo2-v0.1.1-x86_64-pc-windows-msvc.exe app oath register -c 20 -k hotp -d 8 keepass JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP
it works, but i don't want to use a secret everybody knows.