Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:55 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Fri Oct 15, 2010 10:32 pm 
Offline

Joined: Fri Oct 15, 2010 10:07 pm
Posts: 2
Hello,
I've spent the last day or so setting up a test environment in which I have created a validation server, ksm server and configured a couple debian boxes to use two factor authentication to our own servers. We are interested in managing our own keys and validation and will have need for redundancy. I've managed to reprogram the second slot on the yubikey I'm testing with and successfully import the keys to the KSM server. Things are great...so here comes some questions for which I have not been able to find any answers:
1. How do you set up a server to use multiple validation endpoints for authentication? I'm using the the pam_yubico.so module in the sshd config. I've gotten the two-factor authentication working just fine. I've tried adding multiple references to this module using different urls, but ultimately this will not work if both are set to "required". (Eventually I'm going make this module required in addition to the standard password for two factor it's in sufficient status just for testing.) Here's the line in /etc/pam.d/sshd
Code:
auth sufficient pam_yubico.so id=1 authfile=/etc/.yubikey_mappings url=http://myserver.com/wsapi/2.0/verify?id=%d&nonce=ajighnguemciwjnghiuejd&otp=%s debug

2. I'd like to test the https side of things on the validation server, but I think I'm running into certificate trust issues on the request coming from the server I'm trying to authenticate from because I'm using a locally issued certificate. Is there a way around this during testing?
3. Is there a sync process for KSM servers like there is for the validation servers? Or what is the correct process to keep the key servers synchronized? Just import the same keys to each?

I hope my questions make sense and I'm not being too much of a dimwit.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Oct 20, 2010 4:04 am 
Offline

Joined: Fri Oct 15, 2010 10:07 pm
Posts: 2
Upon further review, I'm gonna go ahead and answer my own questions...
1. I think I'll have to put a load balancer of some sort in front of the validators. If you were writing your own authentication module you could build in the failovers I suppose, but I'm not.
2. Not worth the trouble. I'll just run on http until I get my house in order and then get a commercial certificate.
3. The answer is no. I did find another article on Yubico indicating that you need to copy the keys manually between KSM's.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group