I've spent the last day or so setting up a test environment in which I have created a validation server, ksm server and configured a couple debian boxes to use two factor authentication to our own servers. We are interested in managing our own keys and validation and will have need for redundancy. I've managed to reprogram the second slot on the yubikey I'm testing with and successfully import the keys to the KSM server. Things are great...so here comes some questions for which I have not been able to find any answers:
1. How do you set up a server to use multiple validation endpoints for authentication? I'm using the the pam_yubico.so module in the sshd config. I've gotten the two-factor authentication working just fine. I've tried adding multiple references to this module using different urls, but ultimately this will not work if both are set to "required". (Eventually I'm going make this module required in addition to the standard password for two factor it's in sufficient status just for testing.) Here's the line in /etc/pam.d/sshd
Code:
auth sufficient pam_yubico.so id=1 authfile=/etc/.yubikey_mappings url=http://myserver.com/wsapi/2.0/verify?id=%d&nonce=ajighnguemciwjnghiuejd&otp=%s debug
2. I'd like to test the https side of things on the validation server, but I think I'm running into certificate trust issues on the request coming from the server I'm trying to authenticate from because I'm using a locally issued certificate. Is there a way around this during testing?
3. Is there a sync process for KSM servers like there is for the validation servers? Or what is the correct process to keep the key servers synchronized? Just import the same keys to each?
I hope my questions make sense and I'm not being too much of a dimwit.Statistics: Posted by jsajdak — Fri Oct 15, 2010 10:32 pm
]]>