linotp.lib.tokens.yubikeytoken module

This file contains the YubiKey token class where the YubiKey is run in Yubico Mode

class linotp.lib.tokens.yubikeytoken.YubikeyTokenClass(aToken)[source]

Bases: linotp.lib.tokenclass.TokenClass

The YubiKey Token in the Yubico AES mode

checkOtp(otpVal, counter=None, window=None, options=None)[source]

checkOtp - validate the token otp against a given otpvalue

  • otpVal (string) – the to be verified otpvalue
  • counter – the counter state. It is not used by the YubiKey because the current counter value

is sent encrypted inside the OTP value :type counter: int

Parameters:window – the counter +window, which is not used in the YubiKey because the current

counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value :type window: int

Parameters:options (dict) – the dict, which could contain token specific info
Returns:the counter state or an error code (< 0):

-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int

6 Implementation details
check_otp_exist(otp, window=None, user=None, autoassign=False)[source]

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

classmethod getClassInfo(key=None, ret='all')[source]

getClassInfo - returns a subtree of the token definition

  • key (string) – subsection identifier
  • ret (user defined) – default return value, if nothing is found

subsection if key exists or user defined

Return type:


classmethod getClassPrefix()[source]
classmethod getClassType()[source]
is_challenge_request(passw, user, options=None)[source]

This method checks, if this is a request, that triggers a challenge.

  • passw (string) – password, which might be pin or pin+otp
  • user (User object) – The user from the authentication request
  • options (dict) – dictionary of additional request parameters

true or false


resetTokenInfo - hook called during token init/update

in yubikey we have to reset the tokeninfo as it preserves the tokenid and or public_uid which changes with an token update

resync(otp1, otp2, options=None)[source]

resyc the yubikey token

this is done by checking two subsequent otp values for their counter

  • otp1 – first otp value
  • otp2 – second otp value


update(param, reset_failcount=True)[source]

update - process the initialization parameters

Parameters:param (dict) – dict of initialization parameters