Aws-vault: Yubikey Integration

Created on 28 Feb 2018  路  15Comments  路  Source: 99designs/aws-vault

It'd be nice if aws-vault could automatically generate TOTP codes using a Yubikey.

I don't expect this to be an easy undertaking, but I think it'd be a very nice quality of life improvement if prompts for MFA codes were replaced by "Touch your Yubikey to generate an MFA code." if the TOTP secret was stored with the option to require touch, or no prompt at all if not. This would be activated by an additional setting to configure alongside mfa_serial, to designate which TOTP secret in the Yubikey to use for a given profile (and maybe also which Yubikey).

What I would like to know is: If I (or anyone else鈥擨'm _not_ promising I'll be able to put time into this right away) succeeded in implementing this, is this a feature that you'd be willing to merge? (Assuming adequate code quality and lack of license issues, of course.)

Yubico's own "Yubico Authenticator" app and the relevant (C) dependencies seems to be under 2-clause BSD in various Yubico repos on Github, although my inclination would be to instead use it as a roadmap to reimplement the necessary bits in Go.

Most helpful comment

I've been working on adding yubikey functionality to aws-vault. I've implemented add/remove yubikey as mfa device and attempt get otp from yubikey before prompting the user, will have a PR in a few days.

All 15 comments

Interesting idea, it's certainly something I'd consider. I personally use 1password for TOTP codes, and I've considered a similar integration for it.

Looks like https://github.com/jessfraz/libyubikey would make it viable.

I'd want to to verify first that it was possible to request an MFA code from a Yubikey via the API.

If you add a otp seed to the yubikey and have yubioath installed, it's possible to run and get a token.

$ yubioath show aws | awk '{print $NF}'
Touch your YubiKey...
123456

I've started using this with aws-vault as follows:

$ aws-vault exec profilename -m `yubioath show aws | awk '{print $NF}'` --  command
$ aws-vault login profilename -t `yubioath show aws | awk '{print $NF}'`

It's a little irritating as the flags are different (-m for exec and -t for login), and aws-vault login has only been giving me the aws sign on page in the browser of late, but it's a temporary measure that works.

Recently released https://github.com/yawn/ykoath - might fit your use case, if you can live with the libpcsclite dependency.

I can confirm that @ngerstle's workaround works really well. The only annoyance is that due to no integration with "aws-vault" it prompts every time (due to the backticks executing the command every time) and doesn't "cache" the 2FA session like it does with a regular Virtual 2FA device.

I'd want to to verify first that it was possible to request an MFA code from a Yubikey via the API.

Yes @lox - see https://github.com/yawn/ykoath for the Go API and https://github.com/kreuzwerker/awsu for an actual implementation of using a Yubikey for AWS MFA authentication.

Is there any way to use yubikeys other than with @ngerstle workaround?
When I try to use it, it will give me the following validation error:

aws-vault: error: Failed to get credentials for gsl-base (source profile for gsl-integration-admin): ValidationError: 2 validation errors detected: Value 'XXXXXXXXXXXXXXXXXXXXXXXX' at 'tokenCode' failed to satisfy constraint: Member must satisfy regular expression pattern: [\d]*; Value 'XXXXXXXXXXXXXXXXXXXXXXXX' at 'tokenCode' failed to satisfy constraint: Member must have length less than or equal to 6

Thanks

You're trying to submit the Yubikey OTP instead of a TOTP code that is stored on the Yubikey.

AWS doesn't yet support anything other than TOTP so you will need to store the TOTP seed on your Yubikey and then extract an OTP code when prompted for it using something like @ngerstle's workaround above until either someone writes something that will have AWS-Vault automatically grab the OTP code from Yubikey when it receives a challenge (and, optionally, the Yubikey is touched if required) or AWS starts natively supporting U2F for API/SDK access.

Thanks! @tomelliff that makes it clear.

I've been working on adding yubikey functionality to aws-vault. I've implemented add/remove yubikey as mfa device and attempt get otp from yubikey before prompting the user, will have a PR in a few days.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

not stale

Fixed in #316

Was this page helpful?
0 / 5 - 0 ratings

Related issues

jottr picture jottr  路  3Comments

gws picture gws  路  5Comments

solsglasses picture solsglasses  路  3Comments

ismailyenigul picture ismailyenigul  路  4Comments

mazzy89 picture mazzy89  路  6Comments