Yubico Forum
https://forum.yubico.com/

Programming keys and configuringing server side
https://forum.yubico.com/viewtopic.php?f=5&t=212		 Page 1 of 1
Author:  dion.rowney [ Sun Dec 14, 2008 9:53 pm ]
Post subject:  Programming keys and configuringing server side
Hi,

I have successfully been able to program my key using the linux key personalizer and verified it with the ./ykdebug utility. I am now trying to configure the server and think I am doing all the right things but it doesnt want to cooperate.

I am hoping someone can help by showing me what I am doing wrong. Here is the programming of the key and the config file. Please show me what it should be based on the programmin og the key portion:
Code:
root@eee:~/yubikey-personalization-read-only# ./ykpersonalize -ouid=abc123
Passphrase to create AES key: secretstuff
Firmware version 1.3.0 Touch level 9328 Program sequence 21
fixed:
uid:hbhdheebedee
key:hljcnnigitbvbfliftdrdukrgkehiikh
acc_code:cccccccccccc
ticket_flags:APPEND_CR
config_flags:
root@eee:~/yubikey-personalization-read-only# rmmod usbhid && modprobe usbhid
root@eee:~/yubikey-personalization-read-only# cd ../yubico-c-read-only/
root@eee:~/yubico-c-read-only# ls
aclocal.m4      configure.ac   Makefile     README            ykdebug.o
AUTHORS         COPYING        Makefile.am  selftest          yubikey.c
autom4te.cache  depcomp        Makefile.in  selftest.c        yubikey.h
config.guess    INSTALL        missing      selftest.o        yubikey.lo
config.log      install-sh     modhex       simple.mk         yubikey.o
config.status   libtool        modhex.c     test-vectors.txt
config.sub      libyubikey.la  modhex.o     ykdebug
configure       ltmain.sh      NEWS         ykdebug.c
root@eee:~/yubico-c-read-only# ./ykdebug hljcnnigitbvbfliftdrdukrgkehiikh kkrhgicjgvdlklcgecthkuneevniuild
Input:
  token: kkrhgicjgvdlklcgecthkuneevniuild
          99 c6 57 08 5f 2a 9a 05 30 d6 9e b3 3f b7 e7 a2
  aeskey: hljcnnigitbvbfliftdrdukrgkehiikh
          6a 80 bb 75 7d 1f 14 a7 4d 2c 2e 9c 59 36 77 96
Output:
          61 62 63 31 32 33 01 00 5e 70 d5 00 79 f1 e2 93

Struct:
  uid: 61 62 63 31 32 33
  counter: 1 (0x0001)
  timestamp (low): 28766 (0x705e)
  timestamp (high): 213 (0xd5)
  session use: 0 (0x00)
  random: 61817 (0xf179)
  crc: 37858 (0x93e2)

Derived:
  cleaned counter: 1 (0x0001)
  modhex uid: hbhdheebedee
  triggered by caps lock: no
  crc: F0B8
  crc check: ok
root@eee:~/yubico-c-read-only#


What should the contents of this yubiphpbase config.php file be given the above:

Code:
/******* Erase this section after installation *******/
*

// OTP from your admin key you are to use to log in to KMS
// Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
$otp = '...enter yours...';

// Admin PIN as the 2nd factor of auth
//Eg. $pin = '12345678';
$pin = '...enter yours...';

// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = '.....enter yours.....';

*
********** End of section to erase after installation *******/

// Make up a random secret to encrypt data in DB in b64 format
// Eg. $aesParams['__ENC_KEY_SECRET__'] = 'gklftrkvbvcbfhdafbedtjerrbbcgkuk';
$aesParams['__ENC_KEY_SECRET__'] = '.....enter yours.....';

//// DB, email and web related
//
$baseParams = array ();
$baseParams['__DB_HOST__'] = 'localhost';
$baseParams['__DB_USER__'] = '...enter yours...';
$baseParams['__DB_PW__'] = '...enter yours...';
$baseParams['__DB_NAME__'] = '...enter yours...';

// Eg. $baseParams['__ROOT_EMAIL__'] = 'support@yubico.com';
$baseParams['__ROOT_EMAIL__'] = '...enter yours...';


$baseParams['__ORDER_URL__'] = 'http://yubico.com/products/order/';
$baseParams['__DOMAIN__'] = 'localhost';

// Eg. $baseParams['__DOC_ROOT__'] = '/apache/htdocs/'
$baseParams['__DOC_ROOT__'] = '...enter yours...';

//// Validation server
//

$valParams = array ();
$valParams['__VAL_URL__'] = 'http://localhost/wsapi/verify.php?id=';

//// HTML related
//
$headParams = array ();
$headParams['__SHORTCUT_ICON_URL__'] = 'http://localhost/kms/images/favicon.ico';

//// KMS admin activation welcome letter
//
$letterParams = array ();
$letterParams['__KMS_URL__'] = 'http://localhost/kms';



thanks
Author:  network-marvels [ Tue Dec 16, 2008 4:13 pm ]
Post subject:  Re: Programming keys and configuringing server side
We are assuming following parameters for hosting a Yubico Validation Server:

    1) Pin for two factor authentication : 12345
    2) AES secret Key: yubicovalidationserver (Base64 encoded output: eXViaWNvdmFsaWRhdGlvbnNlcnZlcg== )
    3) Random Secret: YubicoYubikey (Base64 encoded output: WXViaWNvWXViaWtleQ==)
    4) MySQL Database Server hostname: sql.test.com
    5) MySQL User name : yubico
    6) MySQL User password: test123
    7) MySQL Database name: yubikey
    8) Root Email Address: admin@test.com
    9) Apache http document root: /var/www/html

The content of yubiphpbase config.php based on above parameters would be:

Code:
<?php
/******************************************************
 *
 *      Customize EVERY parameter for your environment
 *
 ******************************************************/

//// AES secrets
//
$aesParams = array ();

/******* Erase this section after installation *******/
*

// OTP from your admin key you are to use to log in to KMS
// Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
$otp = 'vrkvfefuitvfiuibirllecjgbbnfhhirchithtvfrrbd';

// Admin PIN as the 2nd factor of auth
//Eg. $pin = '12345678';
$pin = '12345';

// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';

*
********** End of section to erase after installation *******/

// Make up a random secret to encrypt data in DB in b64 format
// Eg. $aesParams['__ENC_KEY_SECRET__'] = 'gklftrkvbvcbfhdafbedtjerrbbcgkuk';
$aesParams['__ENC_KEY_SECRET__'] = 'WXViaWNvWXViaWtleQ==';

//// DB, email and web related
//
$baseParams = array ();
$baseParams['__DB_HOST__'] = 'sql.test.com';   
$baseParams['__DB_USER__'] = 'yubico';
$baseParams['__DB_PW__'] = 'test123';
$baseParams['__DB_NAME__'] = 'yubikey';

// Eg. $baseParams['__ROOT_EMAIL__'] = 'support@yubico.com'; 
$baseParams['__ROOT_EMAIL__'] = 'admin@test.com';

$baseParams['__ORDER_URL__'] = 'http://yubico.com/products/order/';
$baseParams['__DOMAIN__'] = 'localhost';

// Eg. $baseParams['__DOC_ROOT__'] = '/apache/htdocs/'
$baseParams['__DOC_ROOT__'] = '/var/www/html';

//// Validation server
//

$valParams = array ();
$valParams['__VAL_URL__'] = 'http://localhost/wsapi/verify.php?id=';

//// HTML related
//
$headParams = array ();
$headParams['__SHORTCUT_ICON_URL__'] = 'http://localhost/kms/images/favicon.ico';

//// KMS admin activation welcome letter
//
$letterParams = array ();
$letterParams['__KMS_URL__'] = 'http://localhost/kms';

?>




As the AES key generated using the "ykpersonalize" tool is modhex encoded, we need to first decode (modhex decode) the AES key, then convert the decoded key to base64 encoded format and store it into the config.php file.

We are currently upgrading Yubico personalization tool and Yubico Management Server. The new versions would be released soon which would address all the above mentioned issues.
Author:  dion.rowney [ Sun Dec 21, 2008 6:54 am ]
Post subject:  Re: Programming keys and configuringing server side
I assume $opt=""; is a key press of my earlier programmed key?

Assuming this I installed using these configs and get this in the kms.log file:

2008-12-20 22:10:00: OTP failed: Key authentication failed: Could not parse response, otp=ndnurjtddcgdfbcrhubneefdgikhrtuc12345 by 192.168.100.13

I even tried without the PIN concatinated and get the same:

2008-12-20 23:52:47: OTP failed: Key authentication failed: Could not parse response, otp=rguvvirtcdchgrkkkghbdvihgflivcgh by 192.168.100.13

ideas?
Author:  dion.rowney [ Sun Dec 21, 2008 7:03 pm ]
Post subject:  Re: Programming keys and configuringing server side
I tried

http://192.168.100.10/wsapi/verify_debu ... nfblfbhveu

and get:

Code:
<p>Debug> Invalid Yubikey gjndfgngdkkl
status=BAD_OTP
info=gjndfgngdkklvcjgebindtfivnenigdt
t=2008-12-21T18:00:36
<p>Debug> SIGN: info=gjndfgngdkklvcjgebindtfivnenigdt&status=BAD_OTP&t=2008-12-21T18:00:36
h=Ju1U9ETdOBgtxKqsO6x9B5EEyR0=


I also noticed that it does not appear to prepend the key identity to the otp (as seen by the following sequential keys):

Code:
jhblvdnekterkuddhrcniidnrkgvugbt
uebnhhnjlcrdgvdbghfjbkgnlbcjirti
nkktenriengnegdevcvrcfulindhtetv
undcvehjcngrkvegigerdljbngnkhhnb
tluitcffjrhbngidlnfbenthvgtgitbe


Did I program the key incorrectly I thought the 1st 12 characters were static??
Author:  network-marvels [ Mon Dec 22, 2008 1:49 pm ]
Post subject:  Re: Programming keys and configuringing server side
dion.rowney wrote:
I assume $opt=""; is a key press of my earlier programmed key?


In the yubiphpbase config.php file, we have to store a OTP generated from reprogrammed YubiKey.

The stored OTP in the config.php file must be 44 characters long (First 12 characters of Static ID + 32 characters of OTP)

The first 12 charectors of OTP representing static ID will be first decoded from modHAX and the decoded static ID will be encoded in base64 format and stored in Database.
Author:  dion.rowney [ Tue Dec 23, 2008 6:22 am ]
Post subject:  Re: Programming keys and configuringing server side
adding the -ofixed seemed add the extra 12 chars at the front to make it 44, but still not luck


So it definately looks like they key programming if root cause. Is the following what would be correct for the above example to work? and set otp=to an output? or is the passphase aes key the other secret?

Code:
root@eee:~/yubikey-personalization-read-only# ./ykpersonalize -ouid=abc123 -ofixed=abc123
Passphrase to create AES key: yubicovalidationserver
Firmware version 1.3.0 Touch level 9376 Program sequence 24
fixed:hbhdheebedee
uid:hbhdheebedee
key:nfrrcjjhjnglvdtfktgctjcjfjulduig
acc_code:cccccccccccc
ticket_flags:APPEND_CR
config_flags:
root@eee:~/yubikey-personalization-read-only#
Author:  network-marvels [ Tue Dec 23, 2008 8:25 am ]
Post subject:  Re: Programming keys and configuringing server side
We would appreciate if you can share following information with us.

    1) yubiphpbase config.php file
    2) Five OTPs generated from your YubiKey

This would help us to figure out a problem you are facing.
Author:  dion.rowney [ Tue Dec 23, 2008 2:56 pm ]
Post subject:  Re: Programming keys and configuringing server side
Code:
//// AES secrets
//
$aesParams = array ();

/******* Erase this section after installation *******/


// OTP from your admin key you are to use to log in to KMS
// Eg. $otp = 'gklhtdkvrbfnbuicngergckgdfvfrbfjfhgiffghcithv';
$otp = 'hbhdheebedeehdifkebgfhhbflrjccegdrctffnblrub';

// Admin PIN as the 2nd factor of auth
//Eg. $pin = '12345678';
$pin = '12345';

// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';


/********** End of section to erase after installation *******/

// Make up a random secret to encrypt data in DB in b64 format
// Eg. $aesParams['__ENC_KEY_SECRET__'] = 'cretsec';
$aesParams['__ENC_KEY_SECRET__'] = 'WXViaWNvWXViaWtleQ==';

//// DB, email and web related
//
$baseParams = array ();
$baseParams['__DB_HOST__'] = 'localhost';
$baseParams['__DB_USER__'] = 'yubico';
$baseParams['__DB_PW__'] = 'yub1c0';
$baseParams['__DB_NAME__'] = 'yubico';

// Eg. $baseParams['__ROOT_EMAIL__'] = 'support@yubico.com';
$baseParams['__ROOT_EMAIL__'] = 'dion.rowney@gmail.com';

$baseParams['__ORDER_URL__'] = 'http://yubico.com/products/order/';
$baseParams['__DOMAIN__'] = 'localhost';

// Eg. $baseParams['__DOC_ROOT__'] = '/apache/htdocs/'
$baseParams['__DOC_ROOT__'] = '/var/www';


//// Validation server
//

$valParams = array ();
$valParams['__VAL_URL__'] = 'http://localhost/wsapi/verify.php?id=';

//// HTML related
//
$headParams = array ();
$headParams['__SHORTCUT_ICON_URL__'] = 'http://localhost/kms/images/favicon.ico';

//// KMS admin activation welcome letter
//
$letterParams = array ();
$letterParams['__KMS_URL__'] = 'http://localhost/kms';



and some otps

Code:
hbhdheebedeebtelvcegicernitfrggtblntntirvhgg
hbhdheebedeeujdjujrrujbjtgkiekkddujeelvjjgcc
hbhdheebedeejerdfrreuifjblkljjnnnhuvididrctu
hbhdheebedeedulhncujiibgjjnlbflvibhidthulcle
hbhdheebedeehlgtdifhcrbbhrercrcuirnclllutuef
Author:  network-marvels [ Wed Dec 24, 2008 6:57 am ]
Post subject:  Re: Programming keys and configuringing server side
Thanks for providing this valuable information. We are looking into this and will update you asap.
Author:  network-marvels [ Mon Dec 29, 2008 4:19 pm ]
Post subject:  Re: Programming keys and configuringing server side
In order to successfully decrypt the OTP, AES key provided in the "config.php" file must be the one with which we have reprogrammed the YubiKey.

dion.rowney wrote:
// This is the AES secret inside your key
// Eg. $aesParams['__ADM_KEY_SECRET__'] = '7Bs1Rl4Itr2+ZmbyO/KCWQ==';
$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';


Please replace "$aesParams['__ADM_KEY_SECRET__'] = 'eXViaWNvdmFsaWRhdGlvbnNlcnZlcg==';" with $aesParams['__ADM_KEY_SECRET__'] = 'tMwIhota8tSdUNgISOoudQ==';

This should solve the issue and Yubico Validation server should verify your OTP correctly.
We have successfully tested it in our test environment.

Please let us know if your are facing any further configuration problems.
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/