Yubikey One-Time-Password Authentication with APM

yubikey_4Well my Yubikey 4 arrived today so I had a chance to play around with their one-time-password capabilities – read about their U2F and APM capabilities here. The primary benefit about OTP over U2F is it’s supported across almost every major browser and OS.  This makes the Yubikey 4 a little more palatable for enterprises – note the Yubikey 4 supports both OTP and U2F.

Jason Rahm posted an article on DevCentral regarding 2FA using Yubikey, YubiCloud and BIG-IP LTM  back in 2013.  I’ve adapted this iRules to use APM Agent Events so we can leverage Yubikeys for 2FA in APM.  For more information on Yubikey OTP clients check out the Getting Started Writing Clients page.

Configuration

  1. To configure this you’ll need to add the iRule below to your BIG-IP and XXXXXX with your YubiCloud client ID and Secret Key.
  2. Add a data group (yubikey_users) and populate it with username:serial pairs
  3. add an iRule event to your APM VPE
    1. set the name to OTP Valid
    2. set the ID to “otp_verify”
    3. add a branch rule
      1. name it Yes
      2. add an advanced expression of:

expr { [mcget {session.custom.otp_valid} ] == 1}

Conclusion

No too difficult.  Some ways that we could extend this code would be to try multiple cloud instances (api1.yubico.com-api5.yubico.com) and provide a self enrollment page if the user’s serial number is not in our data group – I’m writing an example of this with Google Authenticator and iRules LX so stay tuned.

Easily Copy an ISO to Multiple BIG-IPs

With 12.1 dropping yesterday I have multiple BIG-IPs I need to upgrade in my lab environment.  In the lab we have a CIFS share that stores the ISOs so I can upload the 12.1 ISO to each F5 from that filer with the following command.

mkdir /tmp/iso
mount -t cifs -o username=user,password=user //10.1.1.254/ISO /tmp/iso/
rsync --progress -a /tmp/iso/F5/12/BIGIP-12.1.0.0.0.1434.iso /shared/images/

You could also remove the BIGIP-12.1.0.0.0.1434.iso on the rsync command and it would copy all ISOs to the BIG-IP.  This could easily be added to a crontab to make your life easier.