Most rails applications have some sort of “user” to represent either customers who are consuming the service or administrators that are publishing content to the web application. It’s important that these users are authenticated (ensuring that they are who they say they are). For user authentication in a Ruby on Rails application, Devise is one of the best solutions out there. It has a very active community and wide variety of options and extensions to fit your business model. Sometimes customers may ask for or the application requires an additional layer of authentication beyond the basic username/password combination.
Yubikey Hardware is a small usb “key” that is set up to generate unique one-time passwords that are validated against their server. Fortunately someone has written an extension to incorporate the yubikey as a second factor of authentication against devise users called yubikey_database_authenticatable.
In order to require users to log in with a yubikey there are a few large steps you have to take.
I have created a skeleton rails app with these steps and posted it to Github
For this app I am using rails 3.2.12
At Ikayzo we have a fondness for lemurs so this application will maintain a list of lemurs species.
Now that we have some actual pages in the applications we can set the root url of the application to the LemursController
There is already some great documentation for this on the Devise readme but here are the steps I took to add it to this rails application.
Add devise to the global part of the Gemfile
Next generate the devise files and user model
The only thing left is to require users to log in when accessing the LemursController
First add the yubikey_database_authenticatable gem to the applications Gemfile
There are two new columns that the users table will need to authenticat witht he yubikey.
You will have to replace :database_authenticatable with :yubikey_database_authenticatable to the devise line of the user model.
For this application I just created a user and added a yubikey to them through the rails console. To require a user to login with yubikey the boolean use_yubikey needs to be set to true. The other user also needs to have the registeredyubikey field set to their yubikeky. I did this through the console by copying the text output from the yubikey to a clipboard and setting the field in the console. Part of the code that was added to the user model is designed to peel of the first 11 characters of the yubikey one-time password which is its static and unique identifier.
In a real world application there will need to be features built in to managing the yubikey for the user. If the customers/users will be providing their own yubikey they will need to update these settings themselves. However if the yubikeys are distributed to a small group of users, managing these attributes should probably be hidden behind some administration side of the application.
Origninally posted on TechHui
© 2013 Lupine Software Development