From 8a6e70d06c711136642cf76cdf97f581cfbca59d Mon Sep 17 00:00:00 2001 From: Robert Giles Date: Thu, 7 Dec 2017 10:49:24 -0600 Subject: [PATCH 1/3] Fix documentation to reflect correct GRANT privileges required for ykval-verify:synclib:db to insert newly-discovered identities into the ykval.yubikeys table. --- doc/Installation.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/Installation.adoc b/doc/Installation.adoc index e76594c..fa2c44d 100644 --- a/doc/Installation.adoc +++ b/doc/Installation.adoc @@ -133,7 +133,8 @@ normally called 'ykval_verifier': ---- user@val:~$ mysql --silent ykval mysql> CREATE USER 'ykval_verifier'@'localhost'; \ -GRANT SELECT,INSERT,UPDATE(modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost'; \ +GRANT SELECT,INSERT(active, created, yk_publicname, notes, modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost'; \ +GRANT UPDATE(modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost'; \ GRANT SELECT,INSERT,UPDATE(id, secret, active) ON ykval.clients TO 'ykval_verifier'@'localhost'; \ GRANT SELECT,INSERT,UPDATE,DELETE ON ykval.queue TO 'ykval_verifier'@'localhost'; \ SET PASSWORD FOR 'ykval_verifier'@'localhost' = PASSWORD('yourpassword'); \ From 0df52c3fc7780d1dbd6eecdba015909ec1aa8960 Mon Sep 17 00:00:00 2001 From: Robert Giles Date: Fri, 8 Dec 2017 12:44:58 -0600 Subject: [PATCH 2/3] Another minor installation documentation update to reflect MySQL GRANT permissions required for a working configuration. --- doc/Installation.adoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/Installation.adoc b/doc/Installation.adoc index fa2c44d..c17a362 100644 --- a/doc/Installation.adoc +++ b/doc/Installation.adoc @@ -135,7 +135,8 @@ user@val:~$ mysql --silent ykval mysql> CREATE USER 'ykval_verifier'@'localhost'; \ GRANT SELECT,INSERT(active, created, yk_publicname, notes, modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost'; \ GRANT UPDATE(modified, yk_counter, yk_low, yk_high, yk_use, nonce) ON ykval.yubikeys TO 'ykval_verifier'@'localhost'; \ -GRANT SELECT,INSERT,UPDATE(id, secret, active) ON ykval.clients TO 'ykval_verifier'@'localhost'; \ +GRANT SELECT,UPDATE(id, secret, active) ON ykval.clients TO 'ykval_verifier'@'localhost'; \ +GRANT INSERT(id, secret, active, created, email, notes, otp) ON ykval.clients TO 'ykval_verifier'@'localhost'; \ GRANT SELECT,INSERT,UPDATE,DELETE ON ykval.queue TO 'ykval_verifier'@'localhost'; \ SET PASSWORD FOR 'ykval_verifier'@'localhost' = PASSWORD('yourpassword'); \ FLUSH PRIVILEGES; From acb4ec2313591fe36b93943fd039edf3a3cc54b8 Mon Sep 17 00:00:00 2001 From: Robert Giles Date: Fri, 8 Dec 2017 12:48:58 -0600 Subject: [PATCH 3/3] Initial take on an RPM spec file for RHEL7, to make this package easier to deploy with Puppet and other configuration management tools. --- yubikey-val.spec | 87 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 yubikey-val.spec diff --git a/yubikey-val.spec b/yubikey-val.spec new file mode 100644 index 0000000..72cbfa1 --- /dev/null +++ b/yubikey-val.spec @@ -0,0 +1,87 @@ +Name: yubikey-val +Version: 2.39 +Release: ARL1%{?dist} +Summary: The YubiKey Validation Server (YK-VAL) is a server that validates Yubikey One-Time Passwords (OTPs). YK-VAL is written in PHP, for use behind web servers such as Apache. The server implements the Yubico API protocol and further documentation is also available in the doc/ subdirectory. This server talks to a KSM service for decrypting the OTPs, to avoid storing any AES keys on the validation server. One implementation of this service is the YubiKey-KSM, and another implementation using the YubiHSM hardware is PyHSM. Note that version 1.x is a minimal centralized server. Version 2.x is a replicated system that uses multiple machines. +License: BSD +URL: https://github.com/Yubico/yubikey-val/releases +Source0: https://github.com/Yubico/yubikey-val/archive/yubikey-val-%{version}.tar.gz + +BuildArch: noarch +BuildRequires: make +Requires: httpd php mariadb php-mysql mariadb-server + +%description + + +%prep +%setup -q + + +#%build +#make %{?_smp_mflags} + + +%install +rm -rf $RPM_BUILD_ROOT +%make_install wwwgroup=apache + + +%files +%{_sysconfdir}/yubico/val/ykval-config.php +%{_sbindir}/ykval-checksum-clients +%{_sbindir}/ykval-checksum-deactivated +%{_sbindir}/ykval-export +%{_sbindir}/ykval-export-clients +%{_sbindir}/ykval-gen-clients +%{_sbindir}/ykval-import +%{_sbindir}/ykval-import-clients +%{_sbindir}/ykval-nagios-queuelength +%{_sbindir}/ykval-queue +%{_sbindir}/ykval-synchronize +%{_prefix}/share/munin/plugins/ykval_ksmlatency +%{_prefix}/share/munin/plugins/ykval_ksmresponses +%{_prefix}/share/munin/plugins/ykval_queuelength +%{_prefix}/share/munin/plugins/ykval_responses +%{_prefix}/share/munin/plugins/ykval_vallatency +%{_prefix}/share/munin/plugins/ykval_yubikeystats +%{_prefix}/share/yubikey-val/ykval-common.php +%{_prefix}/share/yubikey-val/ykval-db-oci.php +%{_prefix}/share/yubikey-val/ykval-db-pdo.php +%{_prefix}/share/yubikey-val/ykval-db.php +%{_prefix}/share/yubikey-val/ykval-log-verify.php +%{_prefix}/share/yubikey-val/ykval-log.php +%{_prefix}/share/yubikey-val/ykval-resync.php +%{_prefix}/share/yubikey-val/ykval-sync.php +%{_prefix}/share/yubikey-val/ykval-synclib.php +%{_prefix}/share/yubikey-val/ykval-verify.php + +%doc +%{_docdir}/yubikey-val/Generating_Clients.adoc +%{_docdir}/yubikey-val/Getting_Started_Writing_Clients.adoc +%{_docdir}/yubikey-val/Import_Export_Data.adoc +%{_docdir}/yubikey-val/Installation.adoc +%{_docdir}/yubikey-val/Make_Release.adoc +%{_docdir}/yubikey-val/Munin_Probes.adoc +%{_docdir}/yubikey-val/Revocation_Service.adoc +%{_docdir}/yubikey-val/Server_Replication_Protocol.adoc +%{_docdir}/yubikey-val/Sync_Monitor.adoc +%{_docdir}/yubikey-val/Troubleshooting.adoc +%{_docdir}/yubikey-val/Validation_Protocol_V2.0.adoc +%{_docdir}/yubikey-val/Validation_Server_Algorithm.adoc +%{_docdir}/yubikey-val/YubiKey_Info_Format.adoc +%{_docdir}/yubikey-val/ykval-db.oracle.sql +%{_docdir}/yubikey-val/ykval-db.sql +%{_mandir}/man1/ykval-checksum-clients.1.gz +%{_mandir}/man1/ykval-checksum-deactivated.1.gz +%{_mandir}/man1/ykval-export-clients.1.gz +%{_mandir}/man1/ykval-export.1.gz +%{_mandir}/man1/ykval-gen-clients.1.gz +%{_mandir}/man1/ykval-import-clients.1.gz +%{_mandir}/man1/ykval-import.1.gz +%{_mandir}/man1/ykval-queue.1.gz +%{_mandir}/man1/ykval-synchronize.1.gz + + +%changelog +* Mon Dec 04 2017 Robert Giles - 1:2.39-ARL1 +- Initial RHEL7 release, based on Yubico-published 2.39 release.