rlm_yubikey

Synopsis

This module decrypts and validates Yubikey static and dynamic OTP tokens.

The length (number of ascii bytes) of the Public-ID portion of the OTP string. Yubikey defaults to a 6 byte ID (2 * 6 = 12); id_length = 12

Decrypt mode - Tokens will be decrypted and processed locally

The module itself does not provide persistent storage as this would be duplicative of functionality already in the server.

Processing Sections

Any.

Expansions

None.

Directives

decrypt
Syntax

decrypt = boolean

Default

no

Description

FIXME

validate
Syntax

validate = boolean

Default

no

Descripion:

Validation mode - Tokens will be validated against a Yubicloud server

Yubikey-Counter
Syntax

FIXME

Default

FIXME

Description

One of two control attributes required to be retrieved from persistent storage for Yubikey authentication. This value is compared with the counter in the OTP data and used to prevent replay attacks. This attribute will also be available in the request list after successful decryption. Yubikey-Counter isn’t strictly required, but the server will generate warnings if it’s not present when yubikey.authenticate is called. This attribute is one of four available after authentication (if successful). It contains the last counter value (which should be recorded).

Yubikey-Key
Syntax

FIXME

Default

FIXME

Description

One of two control attributes required to be retrieved from persistent storage for Yubikey authentication. The AES key used to decrypt the OTP data. The Yubikey-Public-Id and/or User-Name attributes may be used to retrieve the key.

Yubikey-Private-ID
Syntax

FIXME

Default

FIXME

Description

This attribute is one of four available after authentication (if successful). It contains the encrypted ID included in OTP data, and must be verified if tokens share keys.

Yubikey-Public-ID
Syntax

FIXME

Default

FIXME

Description

This attribute is available after authorization. It is the public portion of the OTP string.

Yubikey-Random
Syntax

FIXME

Default

FIXME

Description

This attribute is one of four available after authentication (if successful). It contains a randomly generated value from the token.

Yubikey-Timestamp
Syntax

FIXME

Default

FIXME

Description

This attribute is one of four available after authentication (if successful). It is the token’s internal clock, and is mainly useful for debugging purposes.

validation

The validation subsection contains settings for the validation mode.

Synopsis

Settings for validation mode. URL of validation server, multiple URL config items may be used to list multiple servers. - %d is a placeholder for public ID of the token; - %s is a placeholder for the token string itself. If no URLs are listed, will default to the default URLs in the ykclient library, which point to the yubico validation servers.

servers {
            uri = 'http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
            uri = 'http://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
        }

Directives

client_id
Syntax

client_id = 00000

Default

FIXME

Description

API Client ID. Must be set to your client id for the validation server.

api_key
Syntax

api_key = '000000000000000000000000'

Default

FIXME

Description

API Secret key (Base64 encoded). Must be set to your API key for the validation server.