linotp.tokens.yubikeytoken module

This file contains the YubiKey token class where the YubiKey is run in Yubico AES mode without the YubiCloud

class linotp.tokens.yubikeytoken.YubikeyTokenClass(aToken)

Bases: TokenClass

The YubiKey Token in Yubico AES mode

checkOtp(otpVal, counter=None, window=None, options=None)

checkOtp - validate the token otp against a given otpvalue

  • otpVal (string) – the to be verified otpvalue

  • counter – the counter state. It is not used by the YubiKey because the current counter value

is sent encrypted inside the OTP value :type counter: int


window – the counter +window, which is not used in the YubiKey because the current

counter value is sent encrypted inside the OTP, allowing a simple comparison between the encrypted counter value and the stored counter value :type window: int


options (dict) – the dict, which could contain token specific info


the counter state or an error code (< 0):

-1 if the OTP is old (counter < stored counter) -2 if the private_uid sent in the OTP is wrong (different from the one stored with the token) -3 if the CRC verification fails :rtype: int


6 Implementation details

check_otp_exist(otp, window=None, user=None, autoassign=False)

checks if the given OTP value is/are values of this very token. This is used to autoassign and to determine the serial number of a token.

classmethod getClassInfo(key=None, ret='all')

getClassInfo - returns a subtree of the token definition

  • key (string) – subsection identifier

  • ret (user defined) – default return value, if nothing is found


subsection if key exists or user defined

Return type


classmethod getClassPrefix()
classmethod getClassType()
is_challenge_request(passw, user, options=None)

This method checks, if this is a request, that triggers a challenge.

  • passw (string) – password, which might be pin or pin+otp

  • user (User object) – The user from the authentication request

  • options (dict) – dictionary of additional request parameters


true or false


resetTokenInfo - hook called during token init/update

in yubikey we have to reset the tokeninfo as it preserves the tokenid and or public_uid which changes with an token update

resync(otp1, otp2, options=None)

resyc the yubikey token

this is done by checking two subsequent otp values for their counter

  • otp1 – first otp value

  • otp2 – second otp value



update(param, reset_failcount=True)

update - process the initialization parameters


param (dict) – dict of initialization parameters