python-vipaccess
================
[](https://pypi.python.org/pypi/python-vipaccess)
[](https://opensource.org/licenses/Apache-2.0)
[](https://github.com/dlenski/python-vipaccess/actions?query=workflow%3Atest_and_release)
Table of Contents
=================
* [python-vipaccess](#python-vipaccess)
* [Table of Contents](#table-of-contents)
* [Intro](#intro)
* [Dependencies](#dependencies)
* [Installation](#installation)
* [Usage](#usage)
* [Provisioning a new VIP Access credential](#provisioning-a-new-vip-access-credential)
* [Display a QR code to register your credential with mobile TOTP apps](#display-a-qr-code-to-register-your-credential-with-mobile-totp-apps)
* [Generating access codes using an existing credential](#generating-access-codes-using-an-existing-credential)
This is a fork of [**`cyrozap/python-vipaccess`**](https://github.com/dlenski/python-vipaccess). Main differences:
- No dependency on `qrcode` or `image` libraries; you can easily use
external tools such as [`qrencode`](https://github.com/fukuchi/libqrencode)
to convert an `otpauth://` URI to a QR code if needed, so it seems
unnecessary to build in this functionality.
- Option to generate either the mobile (`SYMC`/`VSMT`) or desktop (`SYDC`/`VSST`)
versions of the VIP Access tokens; as far as I can tell there is no
real difference between them, but some clients require one or the
other specifically. There are also some rarer token types/prefixes
which can be generated if necessary
([reference list from Symantec](https://support.symantec.com/us/en/article.tech239895.html))
- Command-line utility is expanded to support *both* token
provisioning (creating a new token) and emitting codes for an
existing token (inspired by the command-line interface of
[`stoken`](https://github.com/cernekee/stoken), which handles the same functions for [RSA SecurID](https://en.wikipedia.org/wiki/RSA_SecurID) tokens
Intro
-----
python-vipaccess is a free and open source software (FOSS)
implementation of Symantec's VIP Access client (now owned by Broadcom).
If you need to access a network which uses VIP Access for [two-factor
authentication](https://en.wikipedia.org/wiki/Two-factor_authentication),
but can't or don't want to use Symantec's proprietary
applications—which are only available for Windows, MacOS, Android,
iOS—then this is for you.
As [@cyrozap](https://github.com/cyrozap) discovered in reverse-engineering the VIP Access protocol
([original blog
post](https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-provisioning-protocol)),
Symantec VIP Access actually uses a **completely open standard**
called [Time-based One-time Password
Algorithm](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm)
for generating the 6-digit codes that it outputs. The only
non-standard part is the **provisioning** protocol used to create a
new token.
Dependencies
------------
- Python 3.3+ (recommended) or 2.7 (not recommended)
- [`oath`](https://pypi.python.org/pypi/oath/1.4.1)
- [`pycryptodome`](https://pypi.python.org/pypi/pycryptodome/3.6.6)
- [`requests`](https://pypi.python.org/pypi/requests)
For development purposes, you can install the dependencies with `pip install -r requirements.txt` in
the project root directory.
To install `pip` see the [`pip` installation documentation](https://pip.pypa.io/en/stable/installing/).
Installation
------------
Install with [`pip3`](https://pip.pypa.io/en/stable/installing/) to automatically fetch Python
dependencies. (Note that on most systems, `pip3` invokes the Python 3.x version, while `pip` invokes
the Python 2.7 version; Python 2.7 is still supported, but not recommended because it's nearing
obsolescence.)
```
# Install latest release from PyPI
$ pip3 install python-vipaccess
# Install latest development version from GitHub
$ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip
```
Usage
-----
### Provisioning a new VIP Access credential
This is used to create a new VIP Access token. It connects to https://services.vip.symantec.com/prov
and requests a new token, then deobfuscates it, and checks whether it is properly decoded and
working correctly, via a second request to https://vip.symantec.com/otpCheck.
By default it stores the new token in the file `.vipaccess` in your home directory (in a
format similar to `stoken`), but it can store to another file instead,
or instead just print out the "token secret" string with instructions
about how to use it.
```
usage: vipaccess provision [-h] [-p | -o DOTFILE] [-t TOKEN_MODEL]
optional arguments:
-h, --help show this help message and exit
-p, --print Print the new credential, but don't save it to a file
-o DOTFILE, --dotfile DOTFILE
File in which to store the new credential (default
~/.vipaccess)
-i ISSUER, --issuer ISSUER
Specify the issuer name to use (default: Symantec)
-t TOKEN_MODEL, --token-model TOKEN_MODEL
VIP Access token model. Often SYMC/VSMT ("mobile"
token, default) or SYDC/VSST ("desktop" token). Some
clients only accept one or the other. Other more
obscure token types also exist:
https://support.symantec.com/en_US/article.TECH239895.html
```
Here is an example of the output from `vipaccess provision -p`:
```
Generating request...
Fetching provisioning response from Symantec server...
Getting token from response...
Decrypting token...
Checking token against Symantec server...
Credential created successfully:
otpauth://totp/VIP%20Access:SYMC12345678?secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&issuer=Symantec&algorithm=SHA1&digits=6
This credential expires on this date: 2019-01-15T12:00:00.000Z
You will need the ID to register this credential: SYMC12345678
You can use oathtool to generate the same OTP codes
as would be produced by the official VIP Access apps:
oathtool -b --totp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # output one code
oathtool -v -b --totp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # ... with extra information
```
Here is the format of the `.vipaccess` token file output from
`vipaccess provision [-o ~/.vipaccess]`. (This file is created with
read/write permissions *only* for the current user.)
```
version 1
secret AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
id SYMC12345678
expiry 2019-01-15T12:00:00.000Z
```
### Display a QR code to register your credential with mobile TOTP apps
Once you generate a token with `vipaccess provision`, use `vipaccess uri` to show the `otpauth://` URI and
[`qrencode`](https://fukuchi.org/works/qrencode/manual/index.html) to display that URI as a QR code:
```
$ qrencode -t UTF8 'otpauth://totp/VIP%20Access:SYMCXXXX?secret=YYYY&issuer=Symantec&algorithm=SHA1&digits=6'
```
Scan the code into your TOTP generating app,
like [FreeOTP](https://freeotp.github.io/) or
[Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2).
### Generating access codes using an existing credential
The `vipaccess [show]` option will also do this for you: by default it
generates codes based on the credential in `~/.vipaccess`, but you can
specify an alternative credential file or specify the OATH "token
secret" on the command line.
```
usage: vipaccess show [-h] [-s SECRET | -f DOTFILE]
optional arguments:
-h, --help show this help message and exit
-s SECRET, --secret SECRET
Specify the token secret on the command line (base32
encoded)
-f DOTFILE, --dotfile DOTFILE
File in which the credential is stored (default
~/.vipaccess
```
As alluded to above, you can use other standard
[OATH](https://en.wikipedia.org/wiki/Initiative_For_Open_Authentication)-based
tools to generate the 6-digit codes identical to what Symantec's official
apps produce.
Raw data
{
"_id": null,
"home_page": "https://github.com/dlenski/python-vipaccess",
"name": "python-vipaccess",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "development",
"author": "Daniel Lenski",
"author_email": "dlenski@gmail.com",
"download_url": "https://files.pythonhosted.org/packages/7b/ce/b3376d5fbac1fae3503dd06797dbd118f53c4ad8ddb49257743795be0d97/python-vipaccess-0.14.2.tar.gz",
"platform": null,
"description": "python-vipaccess\n================\n\n[](https://pypi.python.org/pypi/python-vipaccess)\n[](https://opensource.org/licenses/Apache-2.0)\n[](https://github.com/dlenski/python-vipaccess/actions?query=workflow%3Atest_and_release)\n\nTable of Contents\n=================\n\n* [python-vipaccess](#python-vipaccess)\n* [Table of Contents](#table-of-contents)\n * [Intro](#intro)\n * [Dependencies](#dependencies)\n * [Installation](#installation)\n * [Usage](#usage)\n * [Provisioning a new VIP Access credential](#provisioning-a-new-vip-access-credential)\n * [Display a QR code to register your credential with mobile TOTP apps](#display-a-qr-code-to-register-your-credential-with-mobile-totp-apps)\n * [Generating access codes using an existing credential](#generating-access-codes-using-an-existing-credential)\n\nThis is a fork of [**`cyrozap/python-vipaccess`**](https://github.com/dlenski/python-vipaccess). Main differences:\n\n- No dependency on `qrcode` or `image` libraries; you can easily use\n external tools such as [`qrencode`](https://github.com/fukuchi/libqrencode)\n to convert an `otpauth://` URI to a QR code if needed, so it seems\n unnecessary to build in this functionality.\n- Option to generate either the mobile (`SYMC`/`VSMT`) or desktop (`SYDC`/`VSST`)\n versions of the VIP Access tokens; as far as I can tell there is no\n real difference between them, but some clients require one or the\n other specifically. There are also some rarer token types/prefixes\n which can be generated if necessary\n ([reference list from Symantec](https://support.symantec.com/us/en/article.tech239895.html))\n- Command-line utility is expanded to support *both* token\n provisioning (creating a new token) and emitting codes for an\n existing token (inspired by the command-line interface of\n [`stoken`](https://github.com/cernekee/stoken), which handles the same functions for [RSA SecurID](https://en.wikipedia.org/wiki/RSA_SecurID) tokens\n\nIntro\n-----\n\npython-vipaccess is a free and open source software (FOSS)\nimplementation of Symantec's VIP Access client (now owned by Broadcom).\n\nIf you need to access a network which uses VIP Access for [two-factor\nauthentication](https://en.wikipedia.org/wiki/Two-factor_authentication),\nbut can't or don't want to use Symantec's proprietary\napplications\u2014which are only available for Windows, MacOS, Android,\niOS\u2014then this is for you.\n\nAs [@cyrozap](https://github.com/cyrozap) discovered in reverse-engineering the VIP Access protocol\n([original blog\npost](https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vip-access-provisioning-protocol)),\nSymantec VIP Access actually uses a **completely open standard**\ncalled [Time-based One-time Password\nAlgorithm](https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm)\nfor generating the 6-digit codes that it outputs. The only\nnon-standard part is the **provisioning** protocol used to create a\nnew token.\n\nDependencies\n------------\n\n- Python 3.3+ (recommended) or 2.7 (not recommended)\n- [`oath`](https://pypi.python.org/pypi/oath/1.4.1)\n- [`pycryptodome`](https://pypi.python.org/pypi/pycryptodome/3.6.6)\n- [`requests`](https://pypi.python.org/pypi/requests)\n\nFor development purposes, you can install the dependencies with `pip install -r requirements.txt` in\nthe project root directory.\n\nTo install `pip` see the [`pip` installation documentation](https://pip.pypa.io/en/stable/installing/).\n\nInstallation\n------------\n\nInstall with [`pip3`](https://pip.pypa.io/en/stable/installing/) to automatically fetch Python\ndependencies. (Note that on most systems, `pip3` invokes the Python 3.x version, while `pip` invokes\nthe Python 2.7 version; Python 2.7 is still supported, but not recommended because it's nearing\nobsolescence.)\n\n```\n# Install latest release from PyPI\n$ pip3 install python-vipaccess\n\n# Install latest development version from GitHub\n$ pip3 install https://github.com/dlenski/python-vipaccess/archive/HEAD.zip\n```\n\nUsage\n-----\n\n### Provisioning a new VIP Access credential\n\nThis is used to create a new VIP Access token. It connects to https://services.vip.symantec.com/prov\nand requests a new token, then deobfuscates it, and checks whether it is properly decoded and\nworking correctly, via a second request to https://vip.symantec.com/otpCheck.\n\nBy default it stores the new token in the file `.vipaccess` in your home directory (in a\nformat similar to `stoken`), but it can store to another file instead,\nor instead just print out the \"token secret\" string with instructions\nabout how to use it.\n\n```\nusage: vipaccess provision [-h] [-p | -o DOTFILE] [-t TOKEN_MODEL]\n\noptional arguments:\n -h, --help show this help message and exit\n -p, --print Print the new credential, but don't save it to a file\n -o DOTFILE, --dotfile DOTFILE\n File in which to store the new credential (default\n ~/.vipaccess)\n -i ISSUER, --issuer ISSUER\n Specify the issuer name to use (default: Symantec)\n -t TOKEN_MODEL, --token-model TOKEN_MODEL\n VIP Access token model. Often SYMC/VSMT (\"mobile\"\n token, default) or SYDC/VSST (\"desktop\" token). Some\n clients only accept one or the other. Other more\n obscure token types also exist:\n https://support.symantec.com/en_US/article.TECH239895.html\n```\n\nHere is an example of the output from `vipaccess provision -p`:\n\n```\nGenerating request...\nFetching provisioning response from Symantec server...\nGetting token from response...\nDecrypting token...\nChecking token against Symantec server...\nCredential created successfully:\n\totpauth://totp/VIP%20Access:SYMC12345678?secret=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&issuer=Symantec&algorithm=SHA1&digits=6\nThis credential expires on this date: 2019-01-15T12:00:00.000Z\n\nYou will need the ID to register this credential: SYMC12345678\n\nYou can use oathtool to generate the same OTP codes\nas would be produced by the official VIP Access apps:\n\n oathtool -b --totp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # output one code\n oathtool -v -b --totp AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # ... with extra information\n```\n\nHere is the format of the `.vipaccess` token file output from\n`vipaccess provision [-o ~/.vipaccess]`. (This file is created with\nread/write permissions *only* for the current user.)\n\n```\nversion 1\nsecret AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nid SYMC12345678\nexpiry 2019-01-15T12:00:00.000Z\n```\n\n### Display a QR code to register your credential with mobile TOTP apps\n\nOnce you generate a token with `vipaccess provision`, use `vipaccess uri` to show the `otpauth://` URI and\n[`qrencode`](https://fukuchi.org/works/qrencode/manual/index.html) to display that URI as a QR code:\n\n```\n$ qrencode -t UTF8 'otpauth://totp/VIP%20Access:SYMCXXXX?secret=YYYY&issuer=Symantec&algorithm=SHA1&digits=6'\n```\n\nScan the code into your TOTP generating app,\nlike [FreeOTP](https://freeotp.github.io/) or\n[Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2).\n\n### Generating access codes using an existing credential\n\nThe `vipaccess [show]` option will also do this for you: by default it\ngenerates codes based on the credential in `~/.vipaccess`, but you can\nspecify an alternative credential file or specify the OATH \"token\nsecret\" on the command line.\n\n```\nusage: vipaccess show [-h] [-s SECRET | -f DOTFILE]\n\noptional arguments:\n -h, --help show this help message and exit\n -s SECRET, --secret SECRET\n Specify the token secret on the command line (base32\n encoded)\n -f DOTFILE, --dotfile DOTFILE\n File in which the credential is stored (default\n ~/.vipaccess\n```\n\nAs alluded to above, you can use other standard\n[OATH](https://en.wikipedia.org/wiki/Initiative_For_Open_Authentication)-based\ntools to generate the 6-digit codes identical to what Symantec's official\napps produce.\n\n\n",
"bugtrack_url": null,
"license": "Apache 2.0",
"summary": "A free software implementation of Symantec's VIP Access application and protocol",
"version": "0.14.2",
"project_urls": {
"Homepage": "https://github.com/dlenski/python-vipaccess"
},
"split_keywords": [
"development"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "8395225ba8272b6fd11b2e0eba9e97216973a57e8b27e1a3b942620e8f63ff82",
"md5": "50048e78fe646fc458341a289642b746",
"sha256": "b0476efb2ce9906837d0a6ac5162b8c5aa0ea16b661e86668723cb203425bcff"
},
"downloads": -1,
"filename": "python_vipaccess-0.14.2-py3-none-any.whl",
"has_sig": false,
"md5_digest": "50048e78fe646fc458341a289642b746",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 18477,
"upload_time": "2024-02-12T06:04:46",
"upload_time_iso_8601": "2024-02-12T06:04:46.321282Z",
"url": "https://files.pythonhosted.org/packages/83/95/225ba8272b6fd11b2e0eba9e97216973a57e8b27e1a3b942620e8f63ff82/python_vipaccess-0.14.2-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "7bceb3376d5fbac1fae3503dd06797dbd118f53c4ad8ddb49257743795be0d97",
"md5": "3a47dafdf4a40235f8703d70f40cd0cd",
"sha256": "4c5497f222fa0a168bdc58fed15087cda7c5ff7d7863f8b469323cd3d424e615"
},
"downloads": -1,
"filename": "python-vipaccess-0.14.2.tar.gz",
"has_sig": false,
"md5_digest": "3a47dafdf4a40235f8703d70f40cd0cd",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 19677,
"upload_time": "2024-02-12T06:04:47",
"upload_time_iso_8601": "2024-02-12T06:04:47.510493Z",
"url": "https://files.pythonhosted.org/packages/7b/ce/b3376d5fbac1fae3503dd06797dbd118f53c4ad8ddb49257743795be0d97/python-vipaccess-0.14.2.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-02-12 06:04:47",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "dlenski",
"github_project": "python-vipaccess",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "python-vipaccess"
}
JSON
