Occasionally, I need to log in to a system that requires the use of a Symantec VIP code. For those that haven’t come across this before the app displays a 6 digit numeric code that changes every 30 seconds. When logging in to the system, I have to run the app to get the 6 digit code and then type it in, along with a username and password.
This is an example of pseudo-two-factor authentication: I have my password, something I know, as the first factor; and something I have, the app that generates the code, as the second factor. (Why pseudo-two-factor? Because the code is generated from a secret, it’s really just a fancy password.)
So, what’s the problem? I resent having a “special” Symantec app on all my devices because, ultimately this is just a layer over the standard Time-based One Time Password (TOTP), as used by Google Microsoft, Facebook and countless others.
Symantec VIP is actually just a layer over TOTP and thanks to a clever bit of work by Dan Lesnki (in turn forked from Cyrozap’s project) it’s possible to do away with the Symantec VIP application and use a “standard” TOTP app, such as Google Authenticator or Authy.
The instructions provided by Dan are pretty straightforward, but I hit a missing dependency that was required to make it work on my RPi 2B.
What are we actually trying to do?
The 6 digit codes that get generated by authenticator apps are created based on 2 factors: the current time (obviously) and a credential. To add a new credential to a TOTP app we therefore need a compatible credential.
When you initialise Symantec VIP, it generates a new random credential, but not one compatible with TOTP. VIP credentials start with 4 letters and then 8 digits. TOTP credentials are usually 32 letters, often represented as a QR code. Creating a QR code is a “nice to have” (I only have to type in those 32 letters once, so I did without that).
Crozap’s and Dan’s software does the clever bit of creating the TOTP credential from the Symantec VIP credential.
As described above, I’m doing this on a Raspberry Pi 2B which was update to date as of 30th May 2019.
Steps
First, we need Python 3:
sudo -s # Being lazy, saves having to type sudo in front of everything apt update # Ensure we’re going to get the latest version of packages sudo apt install python3 # Install Python 3 if not already installed sudo apt install python3-pip # Install pip (package manager) pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip # Install latest version
Now we can download and install Dan’s python-vipaccess application.
pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip Collecting https://github.com/dlenski/python-vipaccess/archive/HEAD.zip Downloading https://github.com/dlenski/python-vipaccess/archive/HEAD.zip | 276kB 10.8MB/s Collecting lxml==4.2.5 (from python-vipaccess==0.3.1) Using cached https://www.piwheels.org/simple/lxml/lxml-4.2.5-cp35-cp35m-linux_armv7l.whl Collecting oath>=1.4.1 (from python-vipaccess==0.3.1) Using cached https://files.pythonhosted.org/packages/73/e4/8eb7f9b6ba62d41857c54724fb3fde5a8952676e1719ea2099063c1fb253/oath-1.4.3-py2.py3-none-any.whl Collecting pycryptodome==3.6.6 (from python-vipaccess==0.3.1) Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from python-vipaccess==0.3.1) Installing collected packages: lxml, oath, pycryptodome, python-vipaccess Running setup.py install for python-vipaccess ... done Successfully installed lxml-4.2.5 oath-1.4.3 pycryptodome-3.6.6 python-vipaccess-0.3.1
When running the vipaccess command, I got the following error:
ImportError: libxslt.so.1: cannot open shared object file: No such file or directory
To resolve this, install the libxml2-dev and libxslt1-dev two libraries:
apt-get install libxml2-dev libxslt1-dev
Now you should be able to run vipaccess with no issues:
# vipaccess provision -t VSMT -p Generating request... Fetching provisioning response... Getting token from response... Decrypting token... Checking token... Credential created successfully: otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30 This credential expires on this date: 2022-05-30T14:13:21.891Z You will need the ID to register this credential: VSMT22195338 You can use oathtool to generate the same OTP codes as would be produced by the official VIP Access apps: oathtool -d6 -b --totp SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # 6-digit code oathtool -d6 -b --totp -v SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # ... with extra information
You’ll need to then provide your sysadmin or service desk with the generated credential ID, (VSMT22195338
in the example above), then add the credential (SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z
in the example above) to your authenticator app and all should be good!