Skip to main content

A free software implementation of Symantec's VIP Access application and protocol

Project description

python-vipaccess

PyPI License: Apache 2.0 Build Status

Table of Contents

This is a fork of cyrozap/python-vipaccess. Main differences:

  • No dependency on qrcode or image libraries; you can easily use external tools such as qrencode to convert an otpauth:// URI to a QR code if needed, so it seems unnecessary to build in this functionality.
  • Option to generate either the mobile (SYMC/VSMT) or desktop (SYDC/VSST) versions of the VIP Access tokens; as far as I can tell there is no real difference between them, but some clients require one or the other specifically. There are also some rarer token types/prefixes which can be generated if necessary (reference list from Symantec)
  • Command-line utility is expanded to support both token provisioning (creating a new token) and emitting codes for an existing token (inspired by the command-line interface of stoken, which handles the same functions for RSA SecurID tokens

Intro

python-vipaccess is a free and open source software (FOSS) implementation of Symantec's VIP Access client (now owned by Broadcom).

If you need to access a network which uses VIP Access for two-factor authentication, but can't or don't want to use Symantec's proprietary applications—which are only available for Windows, MacOS, Android, iOS—then this is for you.

As @cyrozap discovered in reverse-engineering the VIP Access protocol (original blog post), Symantec VIP Access actually uses a completely open standard called Time-based One-time Password Algorithm for generating the 6-digit codes that it outputs. The only non-standard part is the provisioning protocol used to create a new token.

Dependencies

For development purposes, you can install the dependencies with pip install -r requirements.txt in the project root directory.

To install pip see the pip installation documentation.

Installation

Install with pip3 to automatically fetch Python dependencies. (Note that on most systems, pip3 invokes the Python 3.x version, while pip invokes the Python 2.7 version; Python 2.7 is still supported, but not recommended because it's nearing obsolescence.)

# Install latest release from PyPI
$ pip3 install python-vipaccess

# Install latest development version from GitHub
$ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip

Usage

Provisioning a new VIP Access credential

This is used to create a new VIP Access token. It connects to https://services.vip.symantec.com/prov and requests a new token, then deobfuscates it, and checks whether it is properly decoded and working correctly, via a second request to https://vip.symantec.com/otpCheck.

By default it stores the new token in the file .vipaccess in your home directory (in a format similar to stoken), but it can store to another file instead, or instead just print out the "token secret" string with instructions about how to use it.

usage: vipaccess provision [-h] [-p | -o DOTFILE] [-t TOKEN_MODEL]

optional arguments:
  -h, --help            show this help message and exit
  -p, --print           Print the new credential, but don't save it to a file
  -o DOTFILE, --dotfile DOTFILE
                        File in which to store the new credential (default
                        ~/.vipaccess)
  -i ISSUER, --issuer ISSUER
                        Specify the issuer name to use (default: Symantec)
  -t TOKEN_MODEL, --token-model TOKEN_MODEL
                        VIP Access token model. Often SYMC/VSMT ("mobile"
                        token, default) or SYDC/VSST ("desktop" token). Some
                        clients only accept one or the other. Other more
                        obscure token types also exist:
                        https://support.symantec.com/en_US/article.TECH239895.html

Here is an example of the output from vipaccess provision -p:

Generating request...
Fetching provisioning response from Symantec server...
Getting token from response...
Decrypting token...
Checking token against Symantec server...
Credential created successfully:
	otpauth://totp/VIP%20Access:SYMC12345678?secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&issuer=Symantec&algorithm=SHA1&digits=6
This credential expires on this date: 2019-01-15T12:00:00.000Z

You will need the ID to register this credential: SYMC12345678

You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:

    oathtool    -b --totp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  # output one code
    oathtool -v -b --totp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  # ... with extra information

Here is the format of the .vipaccess token file output from vipaccess provision [-o ~/.vipaccess]. (This file is created with read/write permissions only for the current user.)

version 1
secret AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
id SYMC12345678
expiry 2019-01-15T12:00:00.000Z

Display a QR code to register your credential with mobile TOTP apps

Once you generate a token with vipaccess provision, use vipaccess uri to show the otpauth:// URI and qrencode to display that URI as a QR code:

$ qrencode -t UTF8 'otpauth://totp/VIP%20Access:SYMCXXXX?secret=YYYY&issuer=Symantec&algorithm=SHA1&digits=6'

Scan the code into your TOTP generating app, like FreeOTP or Google Authenticator.

Generating access codes using an existing credential

The vipaccess [show] option will also do this for you: by default it generates codes based on the credential in ~/.vipaccess, but you can specify an alternative credential file or specify the OATH "token secret" on the command line.

usage: vipaccess show [-h] [-s SECRET | -f DOTFILE]

optional arguments:
  -h, --help            show this help message and exit
  -s SECRET, --secret SECRET
                        Specify the token secret on the command line (base32
                        encoded)
  -f DOTFILE, --dotfile DOTFILE
                        File in which the credential is stored (default
                        ~/.vipaccess

As alluded to above, you can use other standard OATH-based tools to generate the 6-digit codes identical to what Symantec's official apps produce.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

python-vipaccess-0.14.2.tar.gz (19.7 kB view details)

Uploaded Source

Built Distribution

python_vipaccess-0.14.2-py3-none-any.whl (18.5 kB view details)

Uploaded Python 3

File details

Details for the file python-vipaccess-0.14.2.tar.gz.

File metadata

  • Download URL: python-vipaccess-0.14.2.tar.gz
  • Upload date:
  • Size: 19.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/4.0.2 CPython/3.11.8

File hashes

Hashes for python-vipaccess-0.14.2.tar.gz
Algorithm Hash digest
SHA256 4c5497f222fa0a168bdc58fed15087cda7c5ff7d7863f8b469323cd3d424e615
MD5 3a47dafdf4a40235f8703d70f40cd0cd
BLAKE2b-256 7bceb3376d5fbac1fae3503dd06797dbd118f53c4ad8ddb49257743795be0d97

See more details on using hashes here.

File details

Details for the file python_vipaccess-0.14.2-py3-none-any.whl.

File metadata

File hashes

Hashes for python_vipaccess-0.14.2-py3-none-any.whl
Algorithm Hash digest
SHA256 b0476efb2ce9906837d0a6ac5162b8c5aa0ea16b661e86668723cb203425bcff
MD5 50048e78fe646fc458341a289642b746
BLAKE2b-256 8395225ba8272b6fd11b2e0eba9e97216973a57e8b27e1a3b942620e8f63ff82

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page