Yubico Forum

Hi,

Im trying to setup a self hosted validation server or yubikey-val and yubikey-ksm, both server are
separated, I have followed the steps in this url https://developers.yubico.com/yubikey-v ... ation.html,
as well as https://developers.yubico.com/yubikey-ksm/ I have also installed ykclient on a separate server
to test, verify and decrypt my servers.

I have generated the client keys and put in the yubikey-val server mysql with database of ykval.

When I try to test using the ykclient and verify or
ykclient --url "http://10.1.11.6/wsapi/2.0/verify" --apikey my_apikey= 2 my_otpkey --debug
Verification output (1): Yubikey OTP was bad (BAD_OTP)

My questions are:
1. trying to search the net for any documentation about this self hosted server, with separated server for both ykval and ykksm, if there is, can you point me to that url?
2. there is a setting in yubikey-val ykval-config.php
"http://127.0.0.1:80/wsapi/decrypt?otp=$otp"

do I need to change this 127.0.0.1 to the ip address of my ykksm server?
3. is there any other config I need to edit for this self-hosted separated validation server and ykksm server
to work?

Thank you in advance.
valgenova

Hi,

Still troubleshooting the problem, to add for the troubleshooting

When I run this command on the ykksm server to test
wget -O - 'http://localhost/wsapi/decrypt?otp=mykeyfkgknthctdkdkrleficdrlhvlbjlgter'

error on the /var/log/apache2/ykksm-error.log
[Tue Sep 19 02:53:15.328215 2017] [:error] [pid 1465] [client 127.0.0.1:56256] PHP Fatal error: Call to undefined function mcrypt_module_open() in /usr/share/yubikey-ksm/ykksm-utils.php on line 48

I have php5-mcrypt installed.

Thank you in advance.

valgenova

Hi,

Searching the net around to fix the mcrypt error


I have enabled the php5-mcrypt by editing the /etc/php5/apache2/php.ini add the line extension=mcrypt.so, then restart apache2.

Then test the ykksm server again via


Then got this response
ERR Corrupt OTP
which the ykksm docs is the correct response, and the logs are


What I need to do now is troubleshoot the ykval server, when I run


I should get a status=NO_SUCH_CLIENT, im getting status=BAD_OTP, I have already generated some clients on the database

Thanks in advance

valgenova

Hi,

Just a question, if I want to host a self validation server, do I really need to personalize my yubikey, or use the ykpersonalize tool. I tested my yubikey using dropbox, and the yubikey works fine, also I tried the pam.d login
my yubikey using the api.yubico.com to validate or verify also works fine, im trying to configure a self-hosted validation server and I'm getting this error.



The only step I did not do is to personalize the yubikey
Again my question is, do I have to personalize my yubikey in order for my ykksm to work?

Thank you in advance

valgenova

Hi,

After installing a personalization tool in windows,personalize my slot2, then input it in the ykksm database. I was able to test via wget on the localhost. Also test connection via ykclient and I get a SUCCESS OTP

Then I configure a VE container, setup pam.d and ssh for two step authentication, and test loging in via ssh, and I was able to login, logs from ykksm server also logs this



If I got free time, will write a doc on what steps I made to make this self hosted validation server, and will share it here
Thank you

valgenova