Merge pull request dani-garcia#254 from Step7750/master

Adds Yubikey OTP Support
thelittlefireman · Nov 16, 2018 · 8fc5994 · 8fc5994
2 parents 65a1eb3 + 0cd73fb
commit 8fc5994
Show file tree

Hide file tree

Showing 8 changed files with 394 additions and 1 deletion.
diff --git a/.env b/.env
@@ -40,6 +40,14 @@
 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
 # DOMAIN=https://bw.domain.tld:8443
 
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
 ## Rocket specific settings, check Rocket documentation to learn more
 # ROCKET_ENV=staging
 # ROCKET_ADDRESS=0.0.0.0 # Enable this to test mobile app

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -57,6 +57,9 @@ jsonwebtoken = "= 4.0.1"
 # U2F library
 u2f = "0.1.2"
 
+# Yubico Library
+yubico= { version = "0.4.0", default-features = false }
+
 # A `dotenv` implementation for Rust
 dotenv = { version = "0.13.0", default-features = false }
 
@@ -84,3 +87,6 @@ lettre_email = { git = 'https://github.com/lettre/lettre', rev = 'c988b1760ad81'
 
 # Version 0.1.2 from crates.io lacks a commit that fixes a certificate error
 u2f = { git = 'https://github.com/wisespace-io/u2f-rs', rev = '193de35093a44' }
+
+# Allows optional libusb support
+yubico = { git = 'https://github.com/dani-garcia/yubico-rs' }
diff --git a/README.md b/README.md
@@ -28,6 +28,7 @@ _*Note, that this project is not associated with the [Bitwarden](https://bitward
   - [Enabling HTTPS](#enabling-https)
   - [Enabling WebSocket notifications](#enabling-websocket-notifications)
   - [Enabling U2F authentication](#enabling-u2f-authentication)
+  - [Enabling YubiKey OTP authentication](#enabling-yubikey-otp-authentication)
   - [Changing persistent data location](#changing-persistent-data-location)
     - [/data prefix:](#data-prefix)
     - [database name and location](#database-name-and-location)
@@ -68,11 +69,11 @@ Basically full implementation of Bitwarden API is provided including:
  * Serving the static files for Vault interface
  * Website icons API
  * Authenticator and U2F support
+ * YubiKey OTP
 
 ## Missing features
 * Email confirmation
 * Other two-factor systems:
-  * YubiKey OTP (if your key supports U2F, you can use that)
   * Duo
   * Email codes
 
@@ -252,6 +253,22 @@ docker run -d --name bitwarden \
 
 Note that the value has to include the `https://` and it may include a port at the end (in the format of `https://bw.domain.tld:port`) when not using `443`.
 
+### Enabling YubiKey OTP authentication
+To enable YubiKey authentication, you must set the `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` env variables.
+
+If `YUBICO_SERVER` is not specified, it will use the default YubiCloud servers. You can generate `YUBICO_CLIENT_ID` and `YUBICO_SECRET_KEY` for the default YubiCloud [here](https://upgrade.yubico.com/getapikey/).
+
+Note: In order to generate API keys or use a YubiKey with an OTP server, it must be registered. After configuring your key in the [YubiKey Personalization Tool](https://www.yubico.com/products/services-software/personalization-tools/use/), you can register it with the default servers [here](https://upload.yubico.com/).
+
+```sh
+docker run -d --name bitwarden \
+  -e YUBICO_CLIENT_ID=12345 \
+  -e YUBICO_SECRET_KEY=ABCDEABCDEABCDEABCDE= \
+  -v /bw-data/:/data/ \
+  -p 80:80 \
+  mprasil/bitwarden:latest
+```
+
 ### Changing persistent data location
 
 #### /data prefix:

diff --git a/src/api/core/mod.rs b/src/api/core/mod.rs
@@ -83,6 +83,9 @@ pub fn routes() -> Vec<Route> {
         generate_u2f_challenge,
         activate_u2f,
         activate_u2f_put,
+        generate_yubikey,
+        activate_yubikey,
+        activate_yubikey_put,
 
         get_organization,
         create_organization,