Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:51 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Apr 19, 2016 7:01 pm 
Offline

Joined: Tue Apr 19, 2016 6:43 pm
Posts: 3
Hi all,
I am trying to set up a cluster for yubikey OTP validation using radius. I followed this: https://developers.yubico.com/yubikey-v ... ation.html

Now, I have two servers with two YubiHSMs which are in the same pool. Here is my ykval-config.php on both:

Code:
<?php
$baseParams = array ();
$baseParams['__YKVAL_DB_DSN__'] = "mysql:dbname=ykval;host=127.0.0.1";
$baseParams['__YKVAL_DB_USER__'] = 'ykval_verifier';
$baseParams['__YKVAL_DB_PW__'] = 'Pa$$W0RD';
$baseParams['__YKVAL_DB_OPTIONS__'] = array();

$baseParams['__YKRESYNC_IPS__'] = array("192.168.1.12", "192.168.1.20");
$baseParams['__YKVAL_SYNC_POOL__'] = array("http://first-yk-server.local/wsapi/2.0/sync", "http://second-yk-server.local/wsapi/2.0/sync");

$baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array("192.168.1.12", "192.168.1.20");

$baseParams['__YKVAL_SYNC_INTERVAL__'] = 10;
$baseParams['__YKVAL_SYNC_RESYNC_TIMEOUT__'] = 30;
$baseParams['__YKVAL_SYNC_OLD_LIMIT__'] = 10;

$baseParams['__YKVAL_SYNC_FAST_LEVEL__'] = 1;
$baseParams['__YKVAL_SYNC_SECURE_LEVEL__'] = 40;
$baseParams['__YKVAL_SYNC_DEFAULT_LEVEL__'] = 30;
$baseParams['__YKVAL_SYNC_DEFAULT_TIMEOUT__'] = 1;

function otp2ksmurls ($otp, $client) {

  return array(
               "http://127.0.0.1:8002/wsapi/decrypt?otp=$otp",
               );
}

?>


This is what happens if I fire up ykval-queue:

Code:
# ykval-queue
PHP Notice:  Undefined index:  in /usr/share/yubikey-val/ykval-synclib.php on line 332
PHP Notice:  Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589
PHP Notice:  Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592
PHP Notice:  Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355
PHP Notice:  Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156
PHP Notice:  Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158
PHP Notice:  Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161
PHP Notice:  Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249
PHP Notice:  Undefined index:  in /usr/share/yubikey-val/ykval-synclib.php on line 424


And this:

Code:
PHP Notice:  Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 332
PHP Notice:  Undefined offset: 1 in /usr/share/yubikey-val/ykval-synclib.php on line 589
PHP Notice:  Undefined index: local_counter in /usr/share/yubikey-val/ykval-synclib.php on line 592
PHP Notice:  Undefined index: local_use in /usr/share/yubikey-val/ykval-synclib.php on line 593
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 355
PHP Notice:  Undefined index: modified in /usr/share/yubikey-val/ykval-synclib.php on line 156
PHP Notice:  Undefined index: nonce in /usr/share/yubikey-val/ykval-synclib.php on line 157
PHP Notice:  Undefined index: yk_publicname in /usr/share/yubikey-val/ykval-synclib.php on line 158
PHP Notice:  Undefined index: yk_high in /usr/share/yubikey-val/ykval-synclib.php on line 161
PHP Notice:  Undefined index: yk_low in /usr/share/yubikey-val/ykval-synclib.php on line 162
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 271
PHP Notice:  Undefined index: yk_counter in /usr/share/yubikey-val/ykval-synclib.php on line 249
PHP Notice:  Undefined index: �U� in /usr/share/yubikey-val/ykval-synclib.php on line 424
PHP Warning:  curl_close() expects parameter 1 to be resource, array given in /usr/share/yubikey-val/ykval-synclib.php on line 447


Some strange unicode characters are appearing here.

And I noticed bogus entry in db which is probably causing all this:

Code:
mysql> SELECT * from yubikeys WHERE yk_publicname = "";
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
| active | created    | modified | yk_publicname | yk_counter | yk_use | yk_low | yk_high | nonce            | notes |
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
|      1 | 1461087547 |       -1 |               |         -1 |     -1 |     -1 |      -1 | 0000000000000000 |       |
+--------+------------+----------+---------------+------------+--------+--------+---------+------------------+-------+
1 row in set (0.00 sec)


I can delete it but it comes back as long as ykval-queue is running.

Finally here is my /var/log/messages on the host that has problems (second.yk-server.local in my config):

Code:
LOG_INFO:ykval-queue:synclib:server=http://first-yk-server.local/wsapi/2.0/sync, server_nonce=<SERVER_NONCE_HERE>, info=yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE_HERE>,local_counter=49&local_use=0
LOG_INFO:ykval-queue:synclib:database not updated modified=1461087576 nonce=<NONCE_HERE> yk_publicname=cccccc<6morechars> yk_counter=52 yk_use=0 yk_high=188 yk_low=11100
LOG_NOTICE:ykval-queue:synclib:Discovered new identity
LOG_NOTICE:ykval-queue:synclib:params for yk_publicname  not found in database
LOG_NOTICE:ykval-queue:synclib:Local server out of sync compared to counters at validation request time.
LOG_WARNING:ykval-queue:synclib:Local server out of sync compared to current local counters. Local server updated.
LOG_ERR:ykval-queue:synclib:Remote server has higher counters than OTP. This response would have marked the OTP as invalid.


I had to censor my nonce/yk_publicname..

Anyway does anyone know what is causing this and what can I do to debug this more?

I tried dropping yubikeys and queue tables but same problem starts to appear again. Here is my queue table on second server:

Code:
mysql> select * from queue;
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
| queued | modified   | server_nonce                     | otp                                          | server                                | info                                                                                                                                                 |
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
|   NULL | 1461087545 | 7e259894650a75f053b41df688c674ad | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=50&yk_use=0&yk_high=169&yk_low=788&nonce=<NONCE>,local_counter=49&local_use=0   |
|   NULL | 1461087571 | 37b4701d86ef6c66d5e0ff6ad6288a13 | cccccc<THE_REST_OF_OTP> | http://first-yk-server.local/wsapi/2.0/sync | yk_publicname=cccccc<6morechars>&yk_counter=52&yk_use=0&yk_high=188&yk_low=11100&nonce=<NONCE>,local_counter=51&local_use=0 |
+--------+------------+----------------------------------+----------------------------------------------+---------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Apr 22, 2016 12:20 pm 
Offline
Site Admin
Site Admin

Joined: Mon Dec 08, 2014 2:52 pm
Posts: 314
Ideally you should use our yubikey-val package, on ubuntu 14.04 preferably.

I think that should solve you issue.


Top
 Profile  
Reply with quote  
PostPosted: Fri Apr 22, 2016 11:59 pm 
Offline

Joined: Tue Apr 19, 2016 6:43 pm
Posts: 3
I am on CentOS 6 using latest yubikey-val from git.
As long as queue table is empty no errors. As soon as entry appears there I get errors. Here's mysql debug log on second-yk-server.local:

Code:
160422 15:57:36       3 Query   select distinct server from queue WHERE queued < 1461365846 or queued is null
          3 Query   select * from queue WHERE (queued < 1461365846 or queued is null) and server='http://first-yk-server.local/wsapi/2.0/sync' LIMIT 1000
          3 Query   UPDATE yubikeys SET  modified='1461363170', yk_counter='313', yk_use='0', yk_low='17484', yk_high='90', nonce='<<NONCE>>' WHERE yk_publicname = 'cccccc<<6CHARS>>' and (313>yk_counter or (313=yk_counter and 0>yk_use))
          3 Query   SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1
          3 Query   INSERT INTO yubikeys (active,created,modified,yk_counter,yk_use,yk_low,yk_high,nonce,notes) VALUES ('1','1461365856','-1','-1','-1','-1','-1','0000000000000000','')
          3 Query   SELECT * FROM yubikeys WHERE yk_publicname is NULL LIMIT 1
          3 Query   DELETE FROM queue WHERE modified = '' and server_nonce = '' and server = ''


And these are coming in every second even if bogus entry is there. Any workaround for CentOS and git?


Top
 Profile  
Reply with quote  
PostPosted: Tue May 03, 2016 5:50 pm 
Offline

Joined: Tue Apr 19, 2016 6:43 pm
Posts: 3
Just to close the loop, new git version of synclib fixes this issue.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group