Yubico Forum

Hello,
As I haven't received any feedback I assume that running Yubikey Validation Server and the Key Storage Module on top of CentOS is very uncommon.
I'll share my install procedure so far, as the Installation Howto from Yubico is mainly written for Debian/Ubuntu and we need slightly different commands on CentOS and the directories which are uses also seem to be different.
Unfortunately I am stuck at the final step, getting an evidence that the KSM is working correctly.
See question at the bottom.

How to Install Yubico Key Storage Module on top of CentOS 7

1) Install a plain CentOS7 without any additional packages

2) Install all Updates via

3) Install some Basic Tools
mc, links, nano, mlocate, wget should be on every Linux machine.

4) Install Apache Webserver and PHP (which is covered in Step 2 from the Yubico KSM Installation Guide.
As you need to have the webserver group available when running make install, you need to install Apache before (!) you install the Yubico KSM


5) Following Step 1 from the Yubico KSM Installation Howto

If you run "make install" you will receive an error message as the Default group for the Apache webserver is not WWW-data, but Apache on CentOs.
Because of that you need to make changes to the MakeFile via and change the line wwwgroup = www-data to wwwgroup = apache
Save the file and run the make install command again.
It is a good idea to save the output of the make install command, as it includes all path informations:



6) Install MySQL / MariaDB (which is covered in Step 3 from the Yubico KSM Install Howto)

Follow all suggestions from the mysql_secure_installation command (Setting a password / remove remote access and test database etc.)

7) Create a database and a user:


Setup your database layout:


Create two database users for the new database. Please change the Phrase


8) Changes to the Include Path for PHP (Step 4 of the Yubico Install Howto)
The Installation howto uses the following path Information:
include_path = "/etc/yubico/ksm:/usr/share/yubikey-ksm",
On CentOS we have slightly different:
include_path = "/etc/ykksm:/usr/share/ykksm"

Also the path to the .ini files for PHP is different (/etc/php.d/ instead of /etc/php5/conf.d/)

Just add the following line:
include_path = "/etc/ykksm:/usr/share/ykksm"

9) Changes regarding Logging (Step 5 from the Yubico Installation Howto)
Skipped and will be done on the final production System

10) Install the PHP Decrypt-Script (Step 7 of the Yubico KSM Install Howto)
The Default path for your html files on CentOS is ...

... /var/www/html

As such you might want to tweak the ykksm.mk-Install-Helper-Script which is located under /usr/share/doc/ykksm/ (not at /usr/share/doc/yubikey-ksm/ as mentioned in the Install HowTo)

Edit line 68 and change
wwwprefix = /var/www/wsapi
to:
wwwprefix = /var/www/html/wsapi

After editing the helper Script you can use it:


11) Make final changes to ykksm-config.php (Step 7 of the Install Howto)
Looking at the config file which can be found under /etc/ykksm you need to add your MySQL database Password, which you have setup above via the MySQL command prompt.
Just edit the "$dbpass = ..." line

Strangely the variable $dbtype is NOT set, that's why I have changed the $db_dsn string to:
$db_dsn = "mysql:dbname=$dbname;host=127.0.0.1";
You might also just add another variable to define $db_dsn.
Make the changes (Password and DB connection type) using your editor of choice:



12) According to the Yubico KSM Install Howto the setup is now finished and you should be able to test your setup via

This should return a message:
ERR Unknown Yubikey


Unfortunately this doesn't work in my case, I've removed the -q (quiet) switch to get an output of the wget command:


Unfortunately I am stucked here.

I have created a PHP-Info page to check if the path is available and if the webserver is setup correctly:

The PHP Info page is shown correctly:

But I can't use the decrypt-PHP-Script

Content of the /var/www/html/wsapi-Folder:



I have also tried to use the full file name decrpyt.php but then I got an Error 500 - Internal Server Error message:


QUESTION:
What have I done wrong? Is someone running Yubico KSM on top of RedHat and CentOS and can point me into the right direction?
As I have put some work writing this howto, I hope someone is willing to help get things up and running.
Of course I will edit these howto and add the neccessary hints what needs to be done to get KSM working on CentOS.

Regards

- Stefen

I have no CentOS experience, but the 500 error should provide you with more information in the apache error log, which should be in the following location for CentOS (according to google): /var/log/httpd/error_log

Hopefully that will give you an idea as to what is going wrong. If not, post it here and I'll take a look.

Hit the same 500 issue on Fedora Rawhide. Turned out it was a weird permission problem.

1) chmod 755 /etc/ykksm - for some reason it was mode 644. For directories, 'r' lets you read all the entry names, but 'x' is needed to access the entry's inode (in other words, you could do an ''ls /etc/ykksm" and see the files, but 'ls -l /etc/ykksm" or "cat /etc/ykksm/whatever" would fail...

2) At least on Rawhide, /usr/share/ykksm/ykksm-utils.php had to be fiddled with - comment out lines 31 to 39 which redefine hex2bin

The .htaccess still isn't firing to do the URL rewrite, so I have to call it with the .php extension still. But given that, I now have:

% curl 'http://localhost/wsapi/ykksm-decrypt.php?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
ERR Unknown yubikey

Hi Stefan, Thanks for the guide so far. Believe it is a permissions error which I also encountered.

Can be resolved with the following*:


*quick fix and likely unsafe