cancel
Showing results for 
Search instead for 
Did you mean: 
JRahm
Community Manager
Community Manager

Problem this snippet solves:

This solution using Yubico's YubiKey OTP generator technology along with their YubiCloud service and BIG-IP LTM to perform Two-Factor Authentication for an application. Please reference the tech tip for details.

NOTE: Built on version 11.4, though the only 11.4 dependency is the nonce generator proc that can be rolled into the CLIENT_ACCEPTED event for earlier versions. The non-proc version is of the CLIENT_ACCEPTED event is shown in the tech tip reference above.

How to use this snippet:


Code :

# Required Data-groups

ltm data-group internal authorized_users {
    records {
        jason {
            data /md5sum of password here/
        }
        jrahm {
            data /md5sum of password here/
        }
    }
    type string
}
ltm data-group internal yubikey_users {
    records {
        jrahm {
            data /yubikey serial number here/
        }
    }
    type string
}

# Source Code - NOTE: You'll need your own YubiCloud API Client ID And Secret Key to plug into the static variables

### PROC FOR NONCE GENERATOR ###
proc randomNumberGenerator {length {chars "0123456789"}} {
  set range [expr {[string length $chars]-1}]
  set txt ""
  for {set i 0} {$i < $length} {incr i} {
    set pos [expr {int(rand()*$range)}]
    append txt [string range $chars $pos $pos]
  }
  return $txt
}
when RULE_INIT {
  #for yubico auth
  array set static::modhex_alphabet { 0 c 1 b 2 d 3 e 4 f 5 g 6 h 7 i 8 j 9 k A l B n C r D t E u F v }
  set static::yubico_client_id "xxxxx"
  set static::yubico_secret_key "xxxxx"  
}  
when CLIENT_ACCEPTED {
  set attempts 0
  #for form auth
  set forceauth 1
  set auth_status 2
  set aeskey "AES 128 63544a5e7178677b45366b41405f2dab"
  set ckname BIGIP_AUTH
  #for yubico auth
  set yubico_server [RESOLV::lookup @24.217.0.5 -a "api2.yubico.com"]
  set nonce [call randomNumberGenerator 25]  
}

when HTTP_REQUEST {
  if { not ([HTTP::path] starts_with "/Login_form") } {
    if { [HTTP::cookie exists $ckname] } {
      set cookie_payload [HTTP::cookie value $ckname]
      set decryptedCookie [AES::decrypt $aeskey [b64decode $cookie_payload ]]
      if { not ( $decryptedCookie equals "" ) } {
        # retrieve the auth status from the session table
        set auth_status [session lookup uie $decryptedCookie]
      }
      # If the auth status is 0 then the user is authenticated
      if { $auth_status eq 0 } {
        #Cookie Decrypted & Session Auth valid 
        set forceauth 0
      }
    }
    if {$forceauth eq 1} {
      set orig_uri [HTTP::uri]
      HTTP::redirect "/Login_form?req=$orig_uri"
    }
  } else {
    # If the user is re-directed to the login form then serve the login form from the BigIP
    if { [HTTP::path] starts_with "/Login_form" && [HTTP::method] equals "GET" } {
      # Retrieve the login form from ifile
      HTTP::respond 200 content [ifile get loginformlong] "Content-Type" "text/html"
  return  
    } elseif { [HTTP::path] starts_with "/Login_form" && [HTTP::method] equals "POST" } {
      # Process the login form and auth the user
      HTTP::collect [HTTP::header Content-Length]
    }
  }
}
when HTTP_REQUEST_DATA {
  set namevals [split [HTTP::payload] "&"]
  # Break out the POST data for username and password values
  for {set i 0} {$i < [llength $namevals]} {incr i} {
    set params [split [lindex $namevals $i] "="]
    if { [lindex $params 0] equals "username" } {
      set auth_user [lindex $params 1]
    }
    if { [lindex $params 0] equals "password" } {
      set auth_pw [lindex $params 1]
    }
if { [lindex $params 0] equals "otp" } {
  set auth_otp [lindex $params 1]
} 
  }
  #validate basic authentication (username/password) before trying OTP validation  
  binary scan [md5 $auth_pw] H* password  
  if { $password eq [class lookup $auth_user authorized_users] } {
#start OTP validation here
set yubikey_modhex 1
if { $auth_user ne "" } {
set yubikey_serial [string trimleft [class lookup $auth_user yubikey_users] 0]
if { $yubikey_serial eq "" } {
HTTP::respond 200 content "

No Yubikey on file for username $auth_user. Contact Support.

" return } if { [string is integer -strict $yubikey_serial] } { set yubikey_serial [split [format %012X $yubikey_serial] ""] set yubikey_modhex "" foreach index $yubikey_serial { append yubikey_modhex $static::modhex_alphabet($index) } } } if { $yubikey_modhex equals [string range $auth_otp 0 11] } { ## Build GET request to yubico ## set params "id=$static::yubico_client_id&nonce=$nonce&otp=$auth_otp" set signature [string map { "+" "%2B" } [b64encode [CRYPTO::sign -alg hmac-sha1 -key [b64decode $static::yubico_secret_key] $params]]] set yubico_get_request "GET /wsapi/2.0/verify?$params&h=$signature HTTP/1.1\r\n" append yubico_get_request "Host: api2.yubico.com\r\n" append yubico_get_request "Accept: */*\r\n\r\n" ## Create connection and send request set conn [connect -timeout 1000 -idle 30 $yubico_server:80] send -timeout 1000 -status send_status $conn $yubico_get_request ## Store Response from yubico set yubico_response [recv -timeout 1000 -status recv_info $conn] #set hash [getfield [getfield $yubico_response "\r\n" 9] "=" 2] #set timestamp [getfield [getfield $yubico_response "\r\n" 10] "=" 2] set otp_r [getfield [getfield $yubico_response "\r\n" 11] "=" 2] set nonce_r [getfield [getfield $yubico_response "\r\n" 12] "=" 2] #set sl [getfield [getfield $yubico_response "\r\n" 13] "=" 2] set status [getfield [getfield $yubico_response "\r\n" 14] "=" 2] if { not ( ($status eq "OK") && ($auth_otp eq $otp_r) && ($nonce eq $nonce_r)) } { HTTP::respond 200 content "

Yubico Authentication Failed. Status=$status

" } else { session add uie $auth_user 0 1800 set encrypted_user [b64encode [AES::encrypt $aeskey $auth_user]] set authcookie [format "%s=%s; path=/; " $ckname $encrypted_user] HTTP::respond 302 Location $orig_uri "Set-Cookie" $authcookie } } else { if { $attempts < 3 } { HTTP::redirect "/Login_form?req=$orig_uri" incr attempts } else { HTTP::respond 200 content "You have exceeded the acceptable login attempts. Please try again later." } } } else { if { $attempts < 3 } { HTTP::redirect "/Login_form?req=$orig_uri" incr attempts } else { HTTP::respond 200 content "You have exceeded the acceptable login attempts. Please try again later." } } }
Version history
Last update:
‎18-Mar-2015 16:37
Updated by:
Contributors