Yubico Forum
https://forum.yubico.com/

hsm internal database, otp counters
https://forum.yubico.com/viewtopic.php?f=22&t=1955
Page 1 of 1

Author:  bmwt [ Tue Jul 07, 2015 11:17 pm ]
Post subject:  hsm internal database, otp counters

Howdy folks,

I'm wrapping my mind around how best to utilize the yubihsm in my environment. We're implementing two servers (east coast, west coast) for use as two factor radius appliances:

Freeradius -> pam -> pam_yubi -> localhost validation server -> localhost ksm
(there's also a pam_ldap and a local ldap replica, to provide a second factor)

In order to prevent a chicken/egg problem during disasters, we're doing everything possible to stack all these services on a single host, which is then replicated for geographic redundancy.

Without the HSM, we need to manually load keys into each node's database (postgres), separately sync the validator's database to keep OTP counters accurate on both systems. As i understand it, the HSM module offers the possibility to use the device's internal database to store. Am I correct in assuming i can *not* use that internal database unless i want to restrict to the one unit? Is there a way to sync the internal counters of the database?

I'm assuming my other (only?) option is to run my own validation service on each node, continue to sync the yubi_val's postgress tables out of band, and store the keys as AEAD blobs (generated on the controlling workstation) on the validators' filesystems, and sync those using normal unix methods?

(forgive me if I'm missing something obvious, still trying to wrap my head around the documentation)

thanks!

-bmwt

Author:  bmwt [ Tue Jul 14, 2015 5:58 pm ]
Post subject:  Re: hsm internal database, otp counters

bmwt wrote:
Howdy folks,

I'm assuming my other (only?) option is to run my own validation service on each node, continue to sync the yubi_val's postgress tables out of band, and store the keys as AEAD blobs (generated on the controlling workstation) on the validators' filesystems, and sync those using normal unix methods?



I've been going down this route. I've initialized an HSM, and set an AEAD AES key. I've used yhsm-generate-keys to create a key. I can get the secret out with yhsm-decrypt-aead, *using the aes key on the command line.* Do i really need to store that AES key in the clear somewhere to decrypt the blobs to provision yubikeys? Is there a flag im missing to have the HSM use the internal copy of the key?

thanks,

-bmwt

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/