stoken
stoken copied to clipboard
cernekee
Import token from web
Currently it's not possible to import token from web with activation code. On mobile phone it can be done eg using link like: com.rsa.securid://ctkip?scheme=https&url=securid1.access.organization.com:7005/ctkip/services/CtkipService&activationCode=xxxxxxxxxxxx
Is it possible to add this functionality to stoken?
I've never actually used CTKIP (my former employer just emailed us the raw XML seed files :scream:) but it is documented in RFC 4758. Your greatest challenge is probably getting RSA Authentication Manager set up locally to test the entire flow end-to-end. If you're friendly with the I.T. guys that would definitely help.
Is anyone aware of any implementations of a CT-KIP client on any platform? (besides the closed-source securid clients for win/mac/android/etc)
I am actually working on one write now. What i need is a working server that i can use.
or at least someone who is willing to test
well, a working ct-kip url would be nice, i do not have access to an ct-kip server/rsa authentication manager
you may send it by email
i am trying to reverse engineer it by creating a self hosted soap service that simulates the ct-kip server part and hitting it with the official RSA securid token app
I have not received any xml files. Just a CT-KIP url and an activation code.
I have the same issue. I have a web import link (CT-KIP) and an activation key. I am getting below error while trying to import.
error: --token string is garbled: General failure
yes, the problem is that nobody of us has access to the rsa authentication manager. i tried to request a demo version, but have no answer from the rsa guys yet.
Any news on this front? Are we still blocked by getting the authentication manager?
for those with the error: error: --token string is garbled: General failure
.sdtid file extension is actually an .xml file. So changing the .sdtid file extension to .xml and importing the file as usual just works.
@esskar if I can work with you in realtime, I can help you with this - i can generate a new ct-kip URL at any time. it does invalidate my current token to do so, so after any reverse-engineering session, I will need to re-generate a token for my use.
@benklop what is your current time zone? I am GMT+11, but GMT-6 at december. December will probably better for me.
I've implemented a client that will show the unencrypted version of all the keying material exchanged with the server, at dlenski/rsa_ct_kip:client.py
We still need to work out exactly how the final key of the token relates to the material exchanged, because the RFC is unclear/inconsistent/obfuscated on this subject: https://github.com/cernekee/stoken/issues/27#issuecomment-420438915
If anyone is willing to be a guinea pig and test it with a new authentication token or two, that'd help a lot.
@dlenski I'd be willing to waste my IT's time to generate a bunch of auth tokens. If you can give me some clues on how to use this.
I was able to use the client tool provided with modifications ( see https://github.com/dlenski/rsa_ct_kip/pull/1 ) but I'm not quite sure what I do with the values I get.
@dedominic-veeder, see #27 for some (hopefully informed) speculation on how to use this client to try to figure out the algorithm for generating the final secrets for the tokens.
@dedominic-veeder, if you can still generate activation codes… the tool has been considerably cleaned up and should Just Work™. Would be great to have another confirmation.
The functionality you are looking for is now provided by this project: https://github.com/dlenski/rsa_ct_kip. It converts the URL and activation code to a token file which can be used with stoken.
rsa_ct_kip deserves to be mentioned in the Readme. Having to download the token from a server is a common approach.
