Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:17 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Jul 07, 2015 11:17 pm 
Offline

Joined: Tue Jul 07, 2015 11:01 pm
Posts: 2
Howdy folks,

I'm wrapping my mind around how best to utilize the yubihsm in my environment. We're implementing two servers (east coast, west coast) for use as two factor radius appliances:

Freeradius -> pam -> pam_yubi -> localhost validation server -> localhost ksm
(there's also a pam_ldap and a local ldap replica, to provide a second factor)

In order to prevent a chicken/egg problem during disasters, we're doing everything possible to stack all these services on a single host, which is then replicated for geographic redundancy.

Without the HSM, we need to manually load keys into each node's database (postgres), separately sync the validator's database to keep OTP counters accurate on both systems. As i understand it, the HSM module offers the possibility to use the device's internal database to store. Am I correct in assuming i can *not* use that internal database unless i want to restrict to the one unit? Is there a way to sync the internal counters of the database?

I'm assuming my other (only?) option is to run my own validation service on each node, continue to sync the yubi_val's postgress tables out of band, and store the keys as AEAD blobs (generated on the controlling workstation) on the validators' filesystems, and sync those using normal unix methods?

(forgive me if I'm missing something obvious, still trying to wrap my head around the documentation)

thanks!

-bmwt


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Jul 14, 2015 5:58 pm 
Offline

Joined: Tue Jul 07, 2015 11:01 pm
Posts: 2
bmwt wrote:
Howdy folks,

I'm assuming my other (only?) option is to run my own validation service on each node, continue to sync the yubi_val's postgress tables out of band, and store the keys as AEAD blobs (generated on the controlling workstation) on the validators' filesystems, and sync those using normal unix methods?



I've been going down this route. I've initialized an HSM, and set an AEAD AES key. I've used yhsm-generate-keys to create a key. I can get the secret out with yhsm-decrypt-aead, *using the aes key on the command line.* Do i really need to store that AES key in the clear somewhere to decrypt the blobs to provision yubikeys? Is there a flag im missing to have the HSM use the internal copy of the key?

thanks,

-bmwt


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group