Yubico Forum
https://forum.yubico.com/

Howto: Setup Yubico KSM on top of CentOS 7 + Question
https://forum.yubico.com/viewtopic.php?f=5&t=2080
Page 1 of 1

Author:  stefenTZ [ Mon Nov 02, 2015 10:59 pm ]
Post subject:  Howto: Setup Yubico KSM on top of CentOS 7 + Question

Hello,
As I haven't received any feedback I assume that running Yubikey Validation Server and the Key Storage Module on top of CentOS is very uncommon.
I'll share my install procedure so far, as the Installation Howto from Yubico is mainly written for Debian/Ubuntu and we need slightly different commands on CentOS and the directories which are uses also seem to be different.
Unfortunately I am stuck at the final step, getting an evidence that the KSM is working correctly.
See question at the bottom.

How to Install Yubico Key Storage Module on top of CentOS 7

1) Install a plain CentOS7 without any additional packages

2) Install all Updates via
Code:
yum -y update


3) Install some Basic Tools
Code:
yum -y install mc nano mlocate wget links

mc, links, nano, mlocate, wget should be on every Linux machine.

4) Install Apache Webserver and PHP (which is covered in Step 2 from the Yubico KSM Installation Guide.
As you need to have the webserver group available when running make install, you need to install Apache before (!) you install the Yubico KSM
Code:
yum -y install httpd php php-mcrypt
systemctl start httpd.service
systemctl enable httpd.service


5) Following Step 1 from the Yubico KSM Installation Howto
Code:
yum -y install wget make help2man
wget http://yubico.github.com/yubikey-ksm/releases/yubikey-ksm-1.8.tgz
tar xfz yubikey-ksm-1.8.tgz
cd yubikey-ksm-1.8
sudo make install

If you run "make install" you will receive an error message as the Default group for the Apache webserver is not WWW-data, but Apache on CentOs.
Because of that you need to make changes to the MakeFile via
Code:
nano Makefile
and change the line wwwgroup = www-data to wwwgroup = apache
Save the file and run the make install command again.
It is a good idea to save the output of the make install command, as it includes all path informations:

Code:
[root@vsrv-yubiksm-2 yubikey-ksm-1.8]# sudo make install
install -D --mode 640 .htaccess /usr/share/ykksm/.htaccess
install -D --mode 640 ykksm-decrypt.php /usr/share/ykksm/ykksm-decrypt.php
install -D --mode 640 ykksm-utils.php /usr/share/ykksm/ykksm-utils.php
install -D ykksm-gen-keys /usr/bin/ykksm-gen-keys
install -D ykksm-import /usr/bin/ykksm-import
install -D ykksm-export /usr/bin/ykksm-export
install -D ykksm-checksum /usr/bin/ykksm-checksum
install -D --backup --mode 640 --group apache ykksm-config.php /etc/ykksm/ykksm-config.php
install -D ykksm-db.sql /usr/share/doc/ykksm/ykksm-db.sql
install -D Makefile /usr/share/doc/ykksm/ykksm.mk
install -D doc/DecryptionProtocol.wiki doc/DesignGoals.wiki doc/GenerateKeys.wiki doc/GenerateKSMKey.wiki doc/ImportKeysToKSM.wiki doc/Installation.wiki doc/KeyProvisioningFormat.wiki doc/ServerHardening.wiki doc/SyncMonitor.wiki /usr/share/doc/ykksm/


6) Install MySQL / MariaDB (which is covered in Step 3 from the Yubico KSM Install Howto)
Code:
yum -y install mariadb-server mariadb php-mysql
systemctl start mariadb.service
systemctl enable mariadb.service
mysql_secure_installation
service mariadb restart

Follow all suggestions from the mysql_secure_installation command (Setting a password / remove remote access and test database etc.)

7) Create a database and a user:
Code:
[root@vsrv-yubiksm-2 yubikey-ksm-1.8]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database ykksm;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> \q
Bye


Setup your database layout:
Code:
[root@vsrv-yubiksm-2 yubikey-ksm-1.8]# mysql -u root -p ykksm < /usr/share/doc/ykksm/ykksm-db.sql
Enter password:
[root@vsrv-yubiksm-2 yubikey-ksm-1.8]#


Create two database users for the new database. Please change the Phrase
Code:
[root@vsrv-yubiksm-2 yubikey-ksm-1.8]# mysql -u root -p ykksm
Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 18
Server version: 5.5.44-MariaDB MariaDB Server

Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [ykksm]> CREATE USER 'ykksmreader';
Query OK, 0 rows affected (0.00 sec)

MariaDB [ykksm]> GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost';
Query OK, 0 rows affected (0.00 sec)

MariaDB [ykksm]> SET PASSWORD FOR 'ykksmreader'@'localhost' = PASSWORD('changeme');
Query OK, 0 rows affected (0.00 sec)

MariaDB [ykksm]> CREATE USER 'ykksmimporter';
Query OK, 0 rows affected (0.00 sec)

MariaDB [ykksm]> GRANT INSERT ON ykksm.yubikeys TO 'ykksmimporter'@'localhost';
Query OK, 0 rows affected (0.00 sec)

MariaDB [ykksm]> SET PASSWORD FOR 'ykksmimporter'@'localhost' = PASSWORD('changeme');
Query OK, 0 rows affected (0.00 sec)

MariaDB [ykksm]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

MariaDB [ykksm]> \q
Bye


8) Changes to the Include Path for PHP (Step 4 of the Yubico Install Howto)
The Installation howto uses the following path Information:
include_path = "/etc/yubico/ksm:/usr/share/yubikey-ksm",
On CentOS we have slightly different:
include_path = "/etc/ykksm:/usr/share/ykksm"

Also the path to the .ini files for PHP is different (/etc/php.d/ instead of /etc/php5/conf.d/)
Code:
nano /etc/php.d/ykksm.ini

Just add the following line:
include_path = "/etc/ykksm:/usr/share/ykksm"

9) Changes regarding Logging (Step 5 from the Yubico Installation Howto)
Skipped and will be done on the final production System

10) Install the PHP Decrypt-Script (Step 7 of the Yubico KSM Install Howto)
The Default path for your html files on CentOS is ...
Code:
cat /etc/httpd/conf/httpd.conf | grep DocumentRoot

... /var/www/html

As such you might want to tweak the ykksm.mk-Install-Helper-Script which is located under /usr/share/doc/ykksm/ (not at /usr/share/doc/yubikey-ksm/ as mentioned in the Install HowTo)
Code:
nano /usr/share/doc/ykksm/ykksm.mk

Edit line 68 and change
wwwprefix = /var/www/wsapi
to:
wwwprefix = /var/www/html/wsapi

After editing the helper Script you can use it:
Code:
[root@vsrv-yubiksm-2 ykksm]# make -f /usr/share/doc/ykksm/ykksm.mk symlink
install -d /var/www/html/wsapi
ln -sf /usr/share/ykksm/.htaccess /var/www/html/wsapi/.htaccess
ln -sf /usr/share/ykksm/ykksm-decrypt.php /var/www/html/wsapi/decrypt.php


11) Make final changes to ykksm-config.php (Step 7 of the Install Howto)
Looking at the config file which can be found under /etc/ykksm you need to add your MySQL database Password, which you have setup above via the MySQL command prompt.
Just edit the "$dbpass = ..." line
Code:
[root@vsrv-yubiksm-2 ykksm]# cat /etc/ykksm/ykksm-config.php
<?php
//ykksm will use the configuration stored in /etc/ykksm/config-db.php, if that file exists. If it does not exist, the below values will be used.

if(!include '/etc/ykksm/config-db.php') {
        $dbuser='ykksmreader';
        $dbpass='yourpassword';
        $basepath='';
        $dbname='ykksm';
        $dbserver='';
        $dbport='';
}

$db_dsn      = "$dbtype:dbname=$dbname;host=127.0.0.1";
$db_username = $dbuser;
$db_password = $dbpass;
$db_options  = array();
$logfacility = LOG_AUTH;
?>

Strangely the variable $dbtype is NOT set, that's why I have changed the $db_dsn string to:
$db_dsn = "mysql:dbname=$dbname;host=127.0.0.1";
You might also just add another variable to define $db_dsn.
Make the changes (Password and DB connection type) using your editor of choice:
Code:
nano /etc/ykksm/ykksm-config.php



12) According to the Yubico KSM Install Howto the setup is now finished and you should be able to test your setup via
Code:
wget -q -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'

This should return a message:
ERR Unknown Yubikey


Unfortunately this doesn't work in my case, I've removed the -q (quiet) switch to get an output of the wget command:
Code:
wget -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
--2015-11-02 23:41:03--  http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh
Auflösen des Hostnamen »localhost (localhost)«... ::1, 127.0.0.1
Verbindungsaufbau zu localhost (localhost)|::1|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 404 Not Found
2015-11-02 23:41:03 FEHLER 404: Not Found.


Unfortunately I am stucked here.

I have created a PHP-Info page to check if the path is available and if the webserver is setup correctly:
Code:
[root@vsrv-yubiksm-2 ykksm]# cat /var/www/html/wsapi/test.php
<?php
 phpinfo();
?>

The PHP Info page is shown correctly:
Code:
links http://localhost/wsapi/test.php

But I can't use the decrypt-PHP-Script :-(

Content of the /var/www/html/wsapi-Folder:
Code:
[root@vsrv-yubiksm-2 wsapi]# ls -la
insgesamt 4
drwxr-xr-x. 2 root root 55  2. Nov 23:42 .
drwxr-xr-x. 3 root root 18  2. Nov 23:27 ..
lrwxrwxrwx. 1 root root 34  2. Nov 23:27 decrypt.php -> /usr/share/ykksm/ykksm-decrypt.php
lrwxrwxrwx. 1 root root 26  2. Nov 23:27 .htaccess -> /usr/share/ykksm/.htaccess
-rw-r--r--. 1 root root 21  2. Nov 23:42 test.php



I have also tried to use the full file name decrpyt.php but then I got an Error 500 - Internal Server Error message:
Code:
[root@vsrv-yubiksm-2 wsapi]# wget -O - 'http://localhost/wsapi/decrypt.php?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
--2015-11-02 23:47:45--  http://localhost/wsapi/decrypt.php?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh
Auflösen des Hostnamen »localhost (localhost)«... ::1, 127.0.0.1
Verbindungsaufbau zu localhost (localhost)|::1|:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 500 Internal Server Error
2015-11-02 23:47:45 FEHLER 500: Internal Server Error.


QUESTION:
What have I done wrong? Is someone running Yubico KSM on top of RedHat and CentOS and can point me into the right direction?
As I have put some work writing this howto, I hope someone is willing to help get things up and running.
Of course I will edit these howto and add the neccessary hints what needs to be done to get KSM working on CentOS.

Regards

- Stefen

Author:  dain [ Wed Nov 04, 2015 10:46 am ]
Post subject:  Re: Howto: Setup Yubico KSM on top of CentOS 7 + Question

I have no CentOS experience, but the 500 error should provide you with more information in the apache error log, which should be in the following location for CentOS (according to google): /var/log/httpd/error_log

Hopefully that will give you an idea as to what is going wrong. If not, post it here and I'll take a look.

Author:  valdis [ Tue Mar 15, 2016 8:31 pm ]
Post subject:  Re: Howto: Setup Yubico KSM on top of CentOS 7 + Question

Hit the same 500 issue on Fedora Rawhide. Turned out it was a weird permission problem.

1) chmod 755 /etc/ykksm - for some reason it was mode 644. For directories, 'r' lets you read all the entry names, but 'x' is needed to access the entry's inode (in other words, you could do an ''ls /etc/ykksm" and see the files, but 'ls -l /etc/ykksm" or "cat /etc/ykksm/whatever" would fail...

2) At least on Rawhide, /usr/share/ykksm/ykksm-utils.php had to be fiddled with - comment out lines 31 to 39 which redefine hex2bin

The .htaccess still isn't firing to do the URL rewrite, so I have to call it with the .php extension still. But given that, I now have:

% curl 'http://localhost/wsapi/ykksm-decrypt.php?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
ERR Unknown yubikey

Author:  will1928 [ Tue Mar 22, 2016 10:36 am ]
Post subject:  Re: Howto: Setup Yubico KSM on top of CentOS 7 + Question

Hi Stefan, Thanks for the guide so far. Believe it is a permissions error which I also encountered.

Can be resolved with the following*:

Code:
chown apache /usr/share/ykksm
chown apache /etc/ykksm

chmod -R 0755 /usr/share/ykksm
chmod -R 0755 /etc/ykksm

*quick fix and likely unsafe

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/