Skip to content

Simple and secure YubiKey OTP validation server

License

Notifications You must be signed in to change notification settings

jaroug/yubikeyedup

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Yet Another YubiKey OTP Validation Server

Several other implementations are available. Some of them are not secure enough:

Official implementation is written in PHP (sigh...), and I don't know Go enough to audit digintLab's implementation:

This is a complete rewrite of YubiServe because the original project seems not to be designed with security in mind. Copy-and-paste programming made code reviews nearly impossible, there is no protection against SQL injection, etc.

This fork was given a new name to make it easy for people to differentiate from the original project.

Usage

Create a new database:

$ ./tools/dbcreate.py ./yubikeys.sqlite3

Plug and flash the YubiKeys (keys are also written to the database):

$ ./tools/flash.py gbush ./yubikeys.sqlite3
$ ./tools/flash.py bobama ./yubikeys.sqlite3

Add a new API key (here, the API key name is developers):

$ ./tools/dbconf.py -aa developers ./yubikeys.sqlite3

Run the server:

$ ./src/yubiserve.py --db ./yubikeys.sqlite3

That's it. The servers wanting to make use of two factor authentication need to be configured. The following paragraph shows an example for OpenSSH.

OpenSSH configuration example

Here's a summary of Yubico's documentation.

Get information about users and API on the machine hosting yubikeys.sqlite3:

$ ./tools/dbconf.py -yl ./yubikeys.sqlite3
2 keys into database:
[Nickname]              >> [PublicID]            >> [Active]
gbush                   >> ibhdhehrhkhuifhv      >> 1
bobama                  >> ibibhdhvhdhbhthb      >> 1

$ ./tools/dbconf.py -al ./yubikeys.sqlite3
1 keys into database:
[Id]    >> [Keyname]            >> [Secret]
1       >> developers           >> ckFsWU5scVNXRjVZc3lJUmpIVzU=

On the OpenSSH machine, add users to /etc/yubimap:

$ cat /etc/yubimap
barack:ibibhdhvhdhbhthb
george:ibhdhehrhkhuifhv

Configure PAM to use YubiKey authentication (take care of API id and API key values):

$ head /etc/pam.d/sshd | grep include
#@include common-auth
@include yubi-auth

$ cat /etc/pam.d/yubi-auth
auth       required     pam_yubico.so authfile=/etc/yubimap id=1 key=ckFsWU5scVNXRjVZc3lJUmpIVzU= url=http://yubikeyval.local:8000/wsapi/2.0/verify?id=%d&otp=%s mode=client token_id_length=16

Configure OpenSSH:

$ tail -4 /etc/ssh/sshd_config
ChallengeResponseAuthentication  no
Match User george,barack
    PasswordAuthentication       yes
    AuthenticationMethods        publickey,password

TODO

OATH/HOTP is not supported at present.

Original author

  • Alessio Periloso <mail at periloso.it>

About

Simple and secure YubiKey OTP validation server

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%