Occasionally, I need to log in to a system that requires the use of a Symantec VIP code. For those that haven’t come across this before the app displays a 6 digit numeric code that changes every 30 seconds. When logging in to the system, I have to run the app to get the 6 digit code and then type it in, along with a username and password.
This is an example of pseudo-two-factor authentication: I have my password, something I know, as the first factor; and something I have, the app that generates the code, as the second factor. (Why pseudo-two-factor? Because the code is generated from a secret, it’s really just a fancy password.)
So, what’s the problem? I resent having a “special” Symantec app on all my devices because, ultimately this is just a layer over the standard Time-based One Time Password (TOTP), as used by Google Microsoft, Facebook and countless others.
Symantec VIP is actually just a layer over TOTP and thanks to a clever bit of work by Dan Lesnki (in turn forked from Cyrozap’s project) it’s possible to do away with the Symantec VIP application and use a “standard” TOTP app, such as Google Authenticator or Authy.
The instructions provided by Dan are pretty straightforward, but I hit a missing dependency that was required to make it work on my RPi 2B.
What are we actually trying to do?
The 6 digit codes that get generated by authenticator apps are created based on 2 factors: the current time (obviously) and a credential. To add a new credential to a TOTP app we therefore need a compatible credential.
When you initialise Symantec VIP, it generates a new random credential, but not one compatible with TOTP. VIP credentials start with 4 letters and then 8 digits. TOTP credentials are usually 32 letters, often represented as a QR code. Creating a QR code is a “nice to have” (I only have to type in those 32 letters once, so I did without that).
Crozap’s and Dan’s software does the clever bit of creating the TOTP credential from the Symantec VIP credential.
As described above, I’m doing this on a Raspberry Pi 2B which was update to date as of 30th May 2019.
First, we need Python 3:
sudo -s # Being lazy, saves having to type sudo in front of everything apt update # Ensure we’re going to get the latest version of packages sudo apt install python3 # Install Python 3 if not already installed sudo apt install python3-pip # Install pip (package manager) pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip # Install latest version
Now we can download and install Dan’s python-vipaccess application.
pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip Collecting https://github.com/dlenski/python-vipaccess/archive/HEAD.zip Downloading https://github.com/dlenski/python-vipaccess/archive/HEAD.zip | 276kB 10.8MB/s Collecting lxml==4.2.5 (from python-vipaccess==0.3.1) Using cached https://www.piwheels.org/simple/lxml/lxml-4.2.5-cp35-cp35m-linux_armv7l.whl Collecting oath>=1.4.1 (from python-vipaccess==0.3.1) Using cached https://files.pythonhosted.org/packages/73/e4/8eb7f9b6ba62d41857c54724fb3fde5a8952676e1719ea2099063c1fb253/oath-1.4.3-py2.py3-none-any.whl Collecting pycryptodome==3.6.6 (from python-vipaccess==0.3.1) Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from python-vipaccess==0.3.1) Installing collected packages: lxml, oath, pycryptodome, python-vipaccess Running setup.py install for python-vipaccess ... done Successfully installed lxml-4.2.5 oath-1.4.3 pycryptodome-3.6.6 python-vipaccess-0.3.1
When running the vipaccess command, I got the following error:
ImportError: libxslt.so.1: cannot open shared object file: No such file or directory
To resolve this, install the libxml2-dev and libxslt1-dev two libraries:
apt-get install libxml2-dev libxslt1-dev
Now you should be able to run vipaccess with no issues:
# vipaccess provision -t VSMT -p Generating request... Fetching provisioning response... Getting token from response... Decrypting token... Checking token... Credential created successfully: otpauth://totp/VIP%20Access:VSMT22195338?issuer=Symantec&algorithm=SHA1&secret=SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z&digits=6&period=30 This credential expires on this date: 2022-05-30T14:13:21.891Z You will need the ID to register this credential: VSMT22195338 You can use oathtool to generate the same OTP codes as would be produced by the official VIP Access apps: oathtool -d6 -b --totp SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # 6-digit code oathtool -d6 -b --totp -v SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z # ... with extra information
You’ll need to then provide your sysadmin or service desk with the generated credential ID, (
VSMT22195338 in the example above), then add the credential (
SS3MEAKIBPSZYOI5NAOQHE2WDQYUXM3Z in the example above) to your authenticator app and all should be good!