rlm_yubikey

Synopsis

This module decrypts and validates Yubikey static and dynamic OTP tokens.

The length (number of ascii bytes) of the Public-ID portion of the OTP string. Yubikey defaults to a 6 byte ID (2 * 6 = 12); id_length = 12

Decrypt mode - Tokens will be decrypted and processed locally

The module itself does not provide persistent storage as this would be duplicative of functionality already in the server.

Default configuration

Processing Sections

Any.

Expansions

None.

Directives

decrypt

Syntax: decrypt = boolean
Default: no
Description: FIXME

validate

Syntax: validate = boolean
Default: no

Descripion:

Validation mode - Tokens will be validated against a Yubicloud server

Yubikey-Counter

Syntax: FIXME
Default: FIXME
Description: One of two control attributes required to be retrieved from persistent storage for Yubikey authentication. This value is compared with the counter in the OTP data and used to prevent replay attacks. This attribute will also be available in the request list after successful decryption. Yubikey-Counter isn’t strictly required, but the server will generate warnings if it’s not present when yubikey.authenticate is called. This attribute is one of four available after authentication (if successful). It contains the last counter value (which should be recorded).

Yubikey-Key

Syntax: FIXME
Default: FIXME
Description: One of two control attributes required to be retrieved from persistent storage for Yubikey authentication. The AES key used to decrypt the OTP data. The Yubikey-Public-Id and/or User-Name attributes may be used to retrieve the key.

Yubikey-Private-ID

Syntax: FIXME
Default: FIXME
Description: This attribute is one of four available after authentication (if successful). It contains the encrypted ID included in OTP data, and must be verified if tokens share keys.

Yubikey-Public-ID

Syntax: FIXME
Default: FIXME
Description: This attribute is available after authorization. It is the public portion of the OTP string.

Yubikey-Random

Syntax: FIXME
Default: FIXME
Description: This attribute is one of four available after authentication (if successful). It contains a randomly generated value from the token.

Yubikey-Timestamp

Syntax: FIXME
Default: FIXME
Description: This attribute is one of four available after authentication (if successful). It is the token’s internal clock, and is mainly useful for debugging purposes.

validation

The validation subsection contains settings for the validation mode.

Synopsis

Settings for validation mode. URL of validation server, multiple URL config items may be used to list multiple servers. - %d is a placeholder for public ID of the token; - %s is a placeholder for the token string itself. If no URLs are listed, will default to the default URLs in the ykclient library, which point to the yubico validation servers.

servers {
            uri = 'http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
            uri = 'http://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
        }

Directives

client_id

Syntax: client_id = 00000
Default: FIXME
Description: API Client ID. Must be set to your client id for the validation server.

api_key

Syntax: api_key = '000000000000000000000000'
Default: FIXME
Description: API Secret key (Base64 encoded). Must be set to your API key for the validation server.