Yubico Forum https://forum.yubico.com/ |
|
Howto: Setup Yubico KSM on top of CentOS 7 + Question https://forum.yubico.com/viewtopic.php?f=5&t=2080 |
Page 1 of 1 |
Author: | stefenTZ [ Mon Nov 02, 2015 10:59 pm ] |
Post subject: | Howto: Setup Yubico KSM on top of CentOS 7 + Question |
Hello, As I haven't received any feedback I assume that running Yubikey Validation Server and the Key Storage Module on top of CentOS is very uncommon. I'll share my install procedure so far, as the Installation Howto from Yubico is mainly written for Debian/Ubuntu and we need slightly different commands on CentOS and the directories which are uses also seem to be different. Unfortunately I am stuck at the final step, getting an evidence that the KSM is working correctly. See question at the bottom. How to Install Yubico Key Storage Module on top of CentOS 7 1) Install a plain CentOS7 without any additional packages 2) Install all Updates via Code: yum -y update 3) Install some Basic Tools Code: yum -y install mc nano mlocate wget links mc, links, nano, mlocate, wget should be on every Linux machine. 4) Install Apache Webserver and PHP (which is covered in Step 2 from the Yubico KSM Installation Guide. As you need to have the webserver group available when running make install, you need to install Apache before (!) you install the Yubico KSM Code: yum -y install httpd php php-mcrypt systemctl start httpd.service systemctl enable httpd.service 5) Following Step 1 from the Yubico KSM Installation Howto Code: yum -y install wget make help2man wget http://yubico.github.com/yubikey-ksm/releases/yubikey-ksm-1.8.tgz tar xfz yubikey-ksm-1.8.tgz cd yubikey-ksm-1.8 sudo make install If you run "make install" you will receive an error message as the Default group for the Apache webserver is not WWW-data, but Apache on CentOs. Because of that you need to make changes to the MakeFile via Code: nano Makefile and change the line wwwgroup = www-data to wwwgroup = apacheSave the file and run the make install command again. It is a good idea to save the output of the make install command, as it includes all path informations: Code: [root@vsrv-yubiksm-2 yubikey-ksm-1.8]# sudo make install install -D --mode 640 .htaccess /usr/share/ykksm/.htaccess install -D --mode 640 ykksm-decrypt.php /usr/share/ykksm/ykksm-decrypt.php install -D --mode 640 ykksm-utils.php /usr/share/ykksm/ykksm-utils.php install -D ykksm-gen-keys /usr/bin/ykksm-gen-keys install -D ykksm-import /usr/bin/ykksm-import install -D ykksm-export /usr/bin/ykksm-export install -D ykksm-checksum /usr/bin/ykksm-checksum install -D --backup --mode 640 --group apache ykksm-config.php /etc/ykksm/ykksm-config.php install -D ykksm-db.sql /usr/share/doc/ykksm/ykksm-db.sql install -D Makefile /usr/share/doc/ykksm/ykksm.mk install -D doc/DecryptionProtocol.wiki doc/DesignGoals.wiki doc/GenerateKeys.wiki doc/GenerateKSMKey.wiki doc/ImportKeysToKSM.wiki doc/Installation.wiki doc/KeyProvisioningFormat.wiki doc/ServerHardening.wiki doc/SyncMonitor.wiki /usr/share/doc/ykksm/ 6) Install MySQL / MariaDB (which is covered in Step 3 from the Yubico KSM Install Howto) Code: yum -y install mariadb-server mariadb php-mysql systemctl start mariadb.service systemctl enable mariadb.service mysql_secure_installation service mariadb restart Follow all suggestions from the mysql_secure_installation command (Setting a password / remove remote access and test database etc.) 7) Create a database and a user: Code: [root@vsrv-yubiksm-2 yubikey-ksm-1.8]# mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 10 Server version: 5.5.44-MariaDB MariaDB Server Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> create database ykksm; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> \q Bye Setup your database layout: Code: [root@vsrv-yubiksm-2 yubikey-ksm-1.8]# mysql -u root -p ykksm < /usr/share/doc/ykksm/ykksm-db.sql Enter password: [root@vsrv-yubiksm-2 yubikey-ksm-1.8]# Create two database users for the new database. Please change the Phrase Code: [root@vsrv-yubiksm-2 yubikey-ksm-1.8]# mysql -u root -p ykksm Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 18 Server version: 5.5.44-MariaDB MariaDB Server Copyright (c) 2000, 2015, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [ykksm]> CREATE USER 'ykksmreader'; Query OK, 0 rows affected (0.00 sec) MariaDB [ykksm]> GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [ykksm]> SET PASSWORD FOR 'ykksmreader'@'localhost' = PASSWORD('changeme'); Query OK, 0 rows affected (0.00 sec) MariaDB [ykksm]> CREATE USER 'ykksmimporter'; Query OK, 0 rows affected (0.00 sec) MariaDB [ykksm]> GRANT INSERT ON ykksm.yubikeys TO 'ykksmimporter'@'localhost'; Query OK, 0 rows affected (0.00 sec) MariaDB [ykksm]> SET PASSWORD FOR 'ykksmimporter'@'localhost' = PASSWORD('changeme'); Query OK, 0 rows affected (0.00 sec) MariaDB [ykksm]> FLUSH PRIVILEGES; Query OK, 0 rows affected (0.00 sec) MariaDB [ykksm]> \q Bye 8) Changes to the Include Path for PHP (Step 4 of the Yubico Install Howto) The Installation howto uses the following path Information: include_path = "/etc/yubico/ksm:/usr/share/yubikey-ksm", On CentOS we have slightly different: include_path = "/etc/ykksm:/usr/share/ykksm" Also the path to the .ini files for PHP is different (/etc/php.d/ instead of /etc/php5/conf.d/) Code: nano /etc/php.d/ykksm.ini Just add the following line: include_path = "/etc/ykksm:/usr/share/ykksm" 9) Changes regarding Logging (Step 5 from the Yubico Installation Howto) Skipped and will be done on the final production System 10) Install the PHP Decrypt-Script (Step 7 of the Yubico KSM Install Howto) The Default path for your html files on CentOS is ... Code: cat /etc/httpd/conf/httpd.conf | grep DocumentRoot ... /var/www/html As such you might want to tweak the ykksm.mk-Install-Helper-Script which is located under /usr/share/doc/ykksm/ (not at /usr/share/doc/yubikey-ksm/ as mentioned in the Install HowTo) Code: nano /usr/share/doc/ykksm/ykksm.mk Edit line 68 and change wwwprefix = /var/www/wsapi to: wwwprefix = /var/www/html/wsapi After editing the helper Script you can use it: Code: [root@vsrv-yubiksm-2 ykksm]# make -f /usr/share/doc/ykksm/ykksm.mk symlink install -d /var/www/html/wsapi ln -sf /usr/share/ykksm/.htaccess /var/www/html/wsapi/.htaccess ln -sf /usr/share/ykksm/ykksm-decrypt.php /var/www/html/wsapi/decrypt.php 11) Make final changes to ykksm-config.php (Step 7 of the Install Howto) Looking at the config file which can be found under /etc/ykksm you need to add your MySQL database Password, which you have setup above via the MySQL command prompt. Just edit the "$dbpass = ..." line Code: [root@vsrv-yubiksm-2 ykksm]# cat /etc/ykksm/ykksm-config.php <?php //ykksm will use the configuration stored in /etc/ykksm/config-db.php, if that file exists. If it does not exist, the below values will be used. if(!include '/etc/ykksm/config-db.php') { $dbuser='ykksmreader'; $dbpass='yourpassword'; $basepath=''; $dbname='ykksm'; $dbserver=''; $dbport=''; } $db_dsn = "$dbtype:dbname=$dbname;host=127.0.0.1"; $db_username = $dbuser; $db_password = $dbpass; $db_options = array(); $logfacility = LOG_AUTH; ?> Strangely the variable $dbtype is NOT set, that's why I have changed the $db_dsn string to: $db_dsn = "mysql:dbname=$dbname;host=127.0.0.1"; You might also just add another variable to define $db_dsn. Make the changes (Password and DB connection type) using your editor of choice: Code: nano /etc/ykksm/ykksm-config.php 12) According to the Yubico KSM Install Howto the setup is now finished and you should be able to test your setup via Code: wget -q -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh' This should return a message: ERR Unknown Yubikey Unfortunately this doesn't work in my case, I've removed the -q (quiet) switch to get an output of the wget command: Code: wget -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh' --2015-11-02 23:41:03-- http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh Auflösen des Hostnamen »localhost (localhost)«... ::1, 127.0.0.1 Verbindungsaufbau zu localhost (localhost)|::1|:80... verbunden. HTTP-Anforderung gesendet, warte auf Antwort... 404 Not Found 2015-11-02 23:41:03 FEHLER 404: Not Found. Unfortunately I am stucked here. I have created a PHP-Info page to check if the path is available and if the webserver is setup correctly: Code: [root@vsrv-yubiksm-2 ykksm]# cat /var/www/html/wsapi/test.php <?php phpinfo(); ?> The PHP Info page is shown correctly: Code: links http://localhost/wsapi/test.php But I can't use the decrypt-PHP-Script Content of the /var/www/html/wsapi-Folder: Code: [root@vsrv-yubiksm-2 wsapi]# ls -la insgesamt 4 drwxr-xr-x. 2 root root 55 2. Nov 23:42 . drwxr-xr-x. 3 root root 18 2. Nov 23:27 .. lrwxrwxrwx. 1 root root 34 2. Nov 23:27 decrypt.php -> /usr/share/ykksm/ykksm-decrypt.php lrwxrwxrwx. 1 root root 26 2. Nov 23:27 .htaccess -> /usr/share/ykksm/.htaccess -rw-r--r--. 1 root root 21 2. Nov 23:42 test.php I have also tried to use the full file name decrpyt.php but then I got an Error 500 - Internal Server Error message: Code: [root@vsrv-yubiksm-2 wsapi]# wget -O - 'http://localhost/wsapi/decrypt.php?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh' --2015-11-02 23:47:45-- http://localhost/wsapi/decrypt.php?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh Auflösen des Hostnamen »localhost (localhost)«... ::1, 127.0.0.1 Verbindungsaufbau zu localhost (localhost)|::1|:80... verbunden. HTTP-Anforderung gesendet, warte auf Antwort... 500 Internal Server Error 2015-11-02 23:47:45 FEHLER 500: Internal Server Error. QUESTION: What have I done wrong? Is someone running Yubico KSM on top of RedHat and CentOS and can point me into the right direction? As I have put some work writing this howto, I hope someone is willing to help get things up and running. Of course I will edit these howto and add the neccessary hints what needs to be done to get KSM working on CentOS. Regards - Stefen |
Author: | dain [ Wed Nov 04, 2015 10:46 am ] |
Post subject: | Re: Howto: Setup Yubico KSM on top of CentOS 7 + Question |
I have no CentOS experience, but the 500 error should provide you with more information in the apache error log, which should be in the following location for CentOS (according to google): /var/log/httpd/error_log Hopefully that will give you an idea as to what is going wrong. If not, post it here and I'll take a look. |
Author: | valdis [ Tue Mar 15, 2016 8:31 pm ] |
Post subject: | Re: Howto: Setup Yubico KSM on top of CentOS 7 + Question |
Hit the same 500 issue on Fedora Rawhide. Turned out it was a weird permission problem. 1) chmod 755 /etc/ykksm - for some reason it was mode 644. For directories, 'r' lets you read all the entry names, but 'x' is needed to access the entry's inode (in other words, you could do an ''ls /etc/ykksm" and see the files, but 'ls -l /etc/ykksm" or "cat /etc/ykksm/whatever" would fail... 2) At least on Rawhide, /usr/share/ykksm/ykksm-utils.php had to be fiddled with - comment out lines 31 to 39 which redefine hex2bin The .htaccess still isn't firing to do the URL rewrite, so I have to call it with the .php extension still. But given that, I now have: % curl 'http://localhost/wsapi/ykksm-decrypt.php?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh' ERR Unknown yubikey |
Author: | will1928 [ Tue Mar 22, 2016 10:36 am ] |
Post subject: | Re: Howto: Setup Yubico KSM on top of CentOS 7 + Question |
Hi Stefan, Thanks for the guide so far. Believe it is a permissions error which I also encountered. Can be resolved with the following*: Code: chown apache /usr/share/ykksm chown apache /etc/ykksm chmod -R 0755 /usr/share/ykksm chmod -R 0755 /etc/ykksm *quick fix and likely unsafe |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |