Replacing Google Authenticator with Yubikey on OS X

Written by Xavier Shay.

After two consecutive days leaving my phone at home, it started to hit home just how hard it was to do my job on the Production Engineering team without being able to access our datacenters. We require two-factor authentication for SSH, using a TOTP with the freely available Google Authenticator application that you install on your phone. Except I didn’t have my phone.

I did have my keyring however, including an existing Yubikey that I use for other two-factor auth systems. It took some wrangling, but I figured out how I could use this to remove the need for my phone and speed up the process as well.

Yubico provides a number of useful tools on Github that can be used to program and configure your Yubikey to support TOTP, also available through homebrew. In addition you will need a handy wrapper script, yubi_goog.py.

brew update
brew install ykpers
wget [https://raw.github.com/xaviershay/yubi-goog/master/yubi_goog.py](https://raw.github.com/xaviershay/yubi-goog/master/yubi_goog.py)
chmod +x yubi_goog.py

You will need your Google Authenticator secret key. It is non-trivial to extract this from an already configured Google Authenticator application, but if you are currently using it for SSH you can likely find it on your bastion host (the first host you SSH to):

ssh your-basion-host.example.com 'head -1 .google_authenticator'

Otherwise your best bet is to ask your friendly system administrator. You can now pass this into the Yubikey personalization tools and have it write the configuration to your Yubikey (make sure it is plugged in). Yubikeys have two configuration slots, and if you are already using your Yubikey for another authentication method it will be in slot 1. The following line writes Google Authenticator config to slot 2, where they can live happily side by side.

# Will prompt for your secret obtained in the last step
ykpersonalize -2 -o chal-resp -o chal-hmac -o hmac-lt64 -a `./yubi_goog.py --convert-secret | cat` -y

Now you can generate a 6-digit code that will match whatever Google Authenticator would be displaying. Unlike traditional Yubikey operation that generates a code when you press its button, TOTP requires a challenge to be sent from your computer. The Yubikey doesn’t know what time it is, so the computer has to send it. This can be done with the ykchalresp application, though there is some extra logic required to translate it into a readable 6-digit code which is also provided by the yubi_googpython script.

./yubi_goog.py --yubi-no-sudo

Pretty neat! That’s just the cake though. On to the icing.

Using the above script I need to copy and paste the output whenever I need to enter my verification code. Using AppleScript and Automator, I can make a global shortcut key that will enter the current TOTP code whenever it is needed.

**on** run {input, parameters}
  *-- Set PATH so we can access ykchalresp and yubi_goog.py*
  *-- Edit this to taste.*
  **tell** application "System Events"
    keystroke (do shell script "PATH=$HOME/bin:/usr/local/bin:$PATH yubi_goog.py --yubi-no-sudo")
    keystroke return
  **end** **tell**
**end** run

Create a new “Service” in OSX Automator with one action: run the above AppleScript. The workflow will now show in “Keyboard Shortcuts” under your system preferences, and allow you to assign a global keyboard shortcut.

Not only is the Yubikey more convenient, it is faster than Google Authenticator too! Xavier Shay (@xshay) | Twitter The latest Tweets from Xavier Shay (@xshay). Engineering Manager at Square. Vegan. Running is the best. San Franciscotwitter.com